Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY1Y3YteHJ2OS1yOHc3
NoSQL injection in express-cart
Versions of express-cart before 1.1.8 are vulnerable to NoSQL injection.
The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators.
These operators can be used to extract the value of the field blindly in the same manner of a blind SQL injection. In this case, the $regex operator is used to guess each character of the token from the start.
Recommendation
Update to version 1.1.8 or later.
Permalink: https://github.com/advisories/GHSA-f5cv-xrv9-r8w7JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY1Y3YteHJ2OS1yOHc3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-f5cv-xrv9-r8w7
References:
- https://hackerone.com/reports/397445
- https://github.com/nodejs/security-wg/blob/master/vuln/npm/472.json
- https://www.npmjs.com/advisories/724
- https://github.com/advisories/GHSA-f5cv-xrv9-r8w7
Affected Packages
npm:express-cart
Dependent packages: 1Dependent repositories: 2
Downloads: 83 last month
Affected Version Ranges: <= 1.1.7
Fixed in: 1.1.8
All affected versions: 1.0.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7
All unaffected versions: 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.1.15, 1.1.16, 1.1.17