Advisories for Npm/Express-Cart package

The express-cart package for Node.js allows CSRF.

(This issue is currently in DISPUTED state). The express-cart package for Node.js allows Reflected XSS (for an admin) via a user input field for product options. The vendor states that this "would rely on an admin hacking his/her own website."

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in express-cart.

Relative Path Traversal in express-cart.

Versions of express-cart before 1.1.8 are vulnerable to NoSQL injection. The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators. These operators can be used to extract the value of the field blindly in the same manner of …

Versions of express-cart before 1.1.6 are vulnerable to privilege escalation. This vulnerability can be exploited so that normal users can escalate their privilege and add new administrator users. Recommendation Update to version 1.1.6 or later.

A deficiency in the access control in module express-cart allows unprivileged users to add new users to the application as administrators.

expressCart allows remote attackers to create an admin user via a /admin/setup Referer header.

Unrestricted file upload (RCE) in express-cart module allows a privileged user to gain access in the hosting machine.