GHSA-F5CV-XRV9-R8W7

Vulnerability from github – Published: 2020-09-01 21:17 – Updated: 2021-09-24 20:58
VLAI?
Summary
NoSQL injection in express-cart
Details

Versions of express-cart before 1.1.8 are vulnerable to NoSQL injection.

The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators.

These operators can be used to extract the value of the field blindly in the same manner of a blind SQL injection. In this case, the $regex operator is used to guess each character of the token from the start.

Recommendation

Update to version 1.1.8 or later.

Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.7"
      },
      "package": {
        "ecosystem": "npm",
        "name": "express-cart"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:33:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Versions of `express-cart` before 1.1.8 are vulnerable to NoSQL injection. \n\nThe vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators. \n\nThese operators can be used to extract the value of the field blindly in the same manner of a blind SQL injection. In this case, the `$regex` operator is used to guess each character of the token from the start.\n\n\n## Recommendation\n\nUpdate to version 1.1.8 or later.",
  "id": "GHSA-f5cv-xrv9-r8w7",
  "modified": "2021-09-24T20:58:36Z",
  "published": "2020-09-01T21:17:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/397445"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nodejs/security-wg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/security-wg/blob/master/vuln/npm/472.json"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/724"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "NoSQL injection in express-cart"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.