Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlwcjMtNzQ0OS05Nzdy
Cross-Site Scripting in express-cart
All versions of harp
are vulnerable to Cross-Site Scripting. In the admin page it is possible to inject arbitrary JavaScript as a new product option, allowing attackers to execute arbitrary code. This is limited to the admin page and does not affect other pages.
Recommendation
No fix is currently available. Consider using an alternative module until a fix is made available.
Permalink: https://github.com/advisories/GHSA-9pr3-7449-977rJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlwcjMtNzQ0OS05Nzdy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-9pr3-7449-977r
References:
- https://hackerone.com/reports/395944
- https://www.npmjs.com/advisories/808
- https://github.com/advisories/GHSA-9pr3-7449-977r
Affected Packages
npm:express-cart
Dependent packages: 1Dependent repositories: 2
Downloads: 83 last month
Affected Version Ranges: >= 0
No known fixed version
All affected versions: 1.0.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.1.15, 1.1.16, 1.1.17