Lucene search
+L
Mongo-express ProjectMongo-express

5 matches found

CVE
CVE
added 2019/12/24 9:8 p.m.1035 views

CVE-2019-10758

MongoDB mongo-express ≤0.53.x is vulnerable to Remote Code Execution via endpoints using toBSON, due to unsafe use of the vm module to run exec commands. Affected component: mongo-express server-side routes that invoke toBSON. Root cause: misusing vm to execute commands in a non-safe environment....

9.9CVSS9.5AI score0.84845EPSS
In wildWeb
CVE
CVE
added 2021/03/30 8:52 p.m.125 views

CVE-2020-24391

Summary: CVE-2020-24391 affects Mongo-Express before 1.0.0 and enables remote code execution. The Nuclei template describes that it uses unsafe evaluation (safer-eval) to validate user-supplied JavaScript, and that the sandboxing can be bypassed, allowing code execution in the node server context...

9.8CVSS9.3AI score0.74519EPSS
CVE
CVE
added 2021/06/21 6:45 p.m.116 views

CVE-2021-21422

Summary: CVE-2021-21422 affects mongo-express, a Node.js/Express-based MongoDB admin UI. The issue stems from two XSS vectors: (1) when a cell’s content exceeds the supported size, clicking a row reveals the full document unescaped (requires admin interaction); (2) media-like data cells render as...

8.1CVSS6.3AI score0.0157EPSS
CVE
CVE
added 2024/03/01 12:0 a.m.78 views

CVE-2023-52555

CVE-2023-52555 : Mongo-Express 1.0.2 is vulnerable to Cross-Site Request Forgery via the /admin endpoint due to missing CSRF protection. An attacker could cause unauthorized actions (e.g., deletion of a Collection). Exploitation details are not provided in the available sources. References consis...

6.1CVSS6.7AI score0.00206EPSS
CVE
CVE
added 2021/04/13 3:20 p.m.51 views

CVE-2021-23372

The CVE-2021-23372 entry concerns all versions of mongo-express with a Denial of Service when exporting an empty collection to CSV due to an unhandled exception that crashes the application. Affected software is the mongo-express package (Node.js/Express-based web UI for MongoDB). The root cause ...

7.5CVSS5.9AI score0.00878EPSS