> NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
I would like to report Reflected XSS in the npm module express-cart.
It allows a user to insert malicious payload in the user input field and the script gets reflected in the browser
module name: express-cartversion:1.1.5npm page: https://www.npmjs.com/package/express-cart
expressCart is a fully functional shopping cart built in Node.js (Express, MongoDB) with Stripe, PayPal, and Authorize.net payments.
[27] downloads in the last week
when the admin user creates a request for a new product, then the field โProduct optionโ accepts any malicious user input. This lead me to identify the reflected XSS attack.
>l technical information about the stack where the vulnerability was found
This vulnerability would allow a user to insert javascript payloads which can be reflected in a browser.