5 matches found
CVE-2019-10758
MongoDB mongo-express ≤0.53.x is vulnerable to Remote Code Execution via endpoints using toBSON, due to unsafe use of the vm module to run exec commands. Affected component: mongo-express server-side routes that invoke toBSON. Root cause: misusing vm to execute commands in a non-safe environment....
CVE-2020-24391
Summary: CVE-2020-24391 affects Mongo-Express before 1.0.0 and enables remote code execution. The Nuclei template describes that it uses unsafe evaluation (safer-eval) to validate user-supplied JavaScript, and that the sandboxing can be bypassed, allowing code execution in the node server context...
CVE-2021-21422
Summary: CVE-2021-21422 affects mongo-express, a Node.js/Express-based MongoDB admin UI. The issue stems from two XSS vectors: (1) when a cell’s content exceeds the supported size, clicking a row reveals the full document unescaped (requires admin interaction); (2) media-like data cells render as...
CVE-2023-52555
CVE-2023-52555 : Mongo-Express 1.0.2 is vulnerable to Cross-Site Request Forgery via the /admin endpoint due to missing CSRF protection. An attacker could cause unauthorized actions (e.g., deletion of a Collection). Exploitation details are not provided in the available sources. References consis...
CVE-2021-23372
The CVE-2021-23372 entry concerns all versions of mongo-express with a Denial of Service when exporting an empty collection to CSV due to an unhandled exception that crashes the application. Affected software is the mongo-express package (Node.js/Express-based web UI for MongoDB). The root cause ...