2 matches found
CVE-2023-6144
Dev Blog v1.0 is affected by CVE-2023-6144 via a security bypass allowing account takeover through the user cookie. An attacker can access any user’s session by knowing the username. The root cause is improper session cookie handling in a Node.js/Express + MongoDB setup. Public references describ...
CVE-2023-6142
Dev Blog v1.0 is affected by an XSS vulnerability triggered via an unrestricted file upload with poor filename entropy. An attacker can upload a malicious HTML file and then guess the filename to deliver it to a victim. Affected component: Dev Blog (Node.js/Express/MongoDB) v1.0; root cause: lack...