CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16483
https://notcve.org/view.php?id=CVE-2018-16483
01 Feb 2019 — A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators. Una deficiencia en el control de acceso en xpress-cart, en la versión 1.1.5 y anteriores, permite a los usuarios sin privilegios añadir a nuevos usuarios a la aplicación como administrador. • https://hackerone.com/reports/343626 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-15330 – WebP Express < 0.14.11 - Arbitrary File Read
https://notcve.org/view.php?id=CVE-2019-15330
11 Dec 2018 — The webp-express plugin before 0.14.11 for WordPress has insufficient protection against arbitrary file reading. El plugin webp-express versiones anteriores a 0.14.11 para WordPress, presenta una protección insuficiente contra la lectura arbitraria de archivos. • https://wordpress.org/plugins/webp-express/#developers • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 6%CPEs: 1EXPL: 1CVE-2018-3758
https://notcve.org/view.php?id=CVE-2018-3758
07 Jun 2018 — Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine. Subida de archivos sin restricción (RCE) en el módulo express-cart en versiones anteriores a la 1.1.7 permite que un usuario privilegiado obtenga acceso a la máquina host. • https://hackerone.com/reports/343726 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2016-10533
https://notcve.org/view.php?id=CVE-2016-10533
31 May 2018 — express-restify-mongoose is a module to easily create a flexible REST interface for mongoose models. express-restify-mongoose 2.4.2 and earlier and 3.0.X through 3.0.1 allows a malicious user to send a request for `GET /User?distinct=password` and get all the passwords for all the users in the database, despite the field being set to private. This can be used for other private data if the malicious user knew what was set as private for specific routes. express-restify-mongoose es un modulo para crear fácilm... • https://github.com/florianholzapfel/express-restify-mongoose/issues/252 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2015-2781 – HotExBilling Manager 73 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2015-2781
06 Apr 2015 — Cross-site scripting (XSS) vulnerability in cgi-bin/hotspotlogin.cgi in Hotspot Express hotEx Billing Manager 73 allows remote attackers to inject arbitrary web script or HTML via the reply parameter. Vulnerabilidad de XSS en cgi-bin/hotspotlogin.cgi en Hotspot Express hotEx Billing Manager 73 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro reply. HotExBilling Manager version 73 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/131297 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2014-6887
https://notcve.org/view.php?id=CVE-2014-6887
11 Oct 2014 — The EXPRESS (aka com.gpshopper.express.android) application 2.5.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. La aplicación para Android EXPRESS (también conocido como com.gpshopper.express.android) 2.5.3 no verifica los certificados X.509 de los servidores SSL, lo que permite a atacantes man-in-the-middle suplantar servidores y obtener información sensible a través de u... • http://www.kb.cert.org/vuls/id/582497 • CWE-310: Cryptographic Issues •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2006-2168
https://notcve.org/view.php?id=CVE-2006-2168
04 May 2006 — FileProtection Express 1.0.1 and earlier allows remote attackers to bypass authentication via a cookie with an Admin value of 1. • http://securityreason.com/securityalert/835 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2005-4292
https://notcve.org/view.php?id=CVE-2005-4292
16 Dec 2005 — Cross-site scripting (XSS) vulnerability in CommerceSQL 1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified search module parameters, possibly the keywords parameter in the Quick Find feature. • http://pridels0.blogspot.com/2005/12/commercesql-xss-vuln.html •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2004-2210
https://notcve.org/view.php?id=CVE-2004-2210
31 Dec 2004 — Multiple cross-site scripting (XSS) vulnerabilities in Express-Web Content Management System (CMS) allow remote attackers to steal cookie-based authentication information and possibly perform other exploits via the (1) n, (2) b, (3) e, or (4) a parameters to default.asp, (5) the Referer header in an HTTP request to login.asp, or (6) the email parameter to subscribe/default.asp. • http://www.maxpatrol.com/advdetails.asp?id=12 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2000-0104
https://notcve.org/view.php?id=CVE-2000-0104
01 Feb 2000 — The Shoptron shopping cart application allows remote users to modify sensitive purchase information via hidden form fields. • https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0104 •