A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators.
[
{
"product": "express-cart",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": ">=1.1.6"
}
]
}
]