A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators.
8.8CVSS
8.5AI Score
0.001EPSS
Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine.
8.8CVSS
8.6AI Score
0.001EPSS
Cross Site Request Forgery (CSRF) vulnerability in Express cart v1.1.16 allows attackers to add an administrator account, add discount code or other unspecified impacts.
8.8CVSS
8.8AI Score
0.001EPSS
The express-cart package through 1.1.10 for Node.js allows Reflected XSS (for an admin) via a user input field for product options. NOTE: the vendor states that this "would rely on an admin hacking his/her own website.
4.8CVSS
4.8AI Score
0.001EPSS