3 results (0.003 seconds)

CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 2

mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin interaction on cell. 2: Data cells identified as media will be rendered as media, without being sanitized. Example of different renders: image, audio, video, etc. As an example of type 1 attack, an unauthorized user who only can send a large amount of data in a field of a document may use a payload with embedded javascript. This could send an export of a collection to the attacker without even an admin knowing. Other types of attacks such as dropping a database\collection are possible. mongo-express es una interfaz de administración de MongoDB basada en la web, escrita con Node.js y express. 1: Como se menciona en este tema: https://github.com/mongo-express/mongo-express/issues/577, cuando el contenido de una celda crece más que el tamaño soportado, al hacer clic en una fila se mostrará el documento completo sin escapar, sin embargo esto necesita la interacción del administrador en la celda. 2: Las celdas de datos identificadas como medios de comunicación se renderizarán como medios de comunicación, sin ser saneados. • https://github.com/mongo-express/mongo-express/commit/f5e0d4931f856f032f22664b5e5901d5950cfd4b https://github.com/mongo-express/mongo-express/issues/577 https://github.com/mongo-express/mongo-express/security/advisories/GHSA-7p8h-86p5-wv3p • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 47%CPEs: 1EXPL: 0

mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769. mongo-express en versiones anteriores a la 1.0.0 ofrece soporte para cierta sintaxis avanzada pero lo implementa de una manera insegura. NOTA: esto puede superponerse a CVE-2019-10769. • https://github.com/mongo-express/mongo-express/commit/3a26b079e7821e0e209c3ee0cc2ae15ad467b91a https://github.com/mongodb-js/query-parser/issues/16 •

CVSS: 9.9EPSS: 97%CPEs: 1EXPL: 4

mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment. mongo-express versiones anteriores a 0.54.0, es vulnerable a una ejecución de código remota por medio de endpoints que utilizan el método "toBSON". Un uso inapropiado de la dependencia "vm" para ejecutar comandos "exec" en un entorno no seguro. mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. • https://github.com/masahiro331/CVE-2019-10758 https://github.com/lp008/CVE-2019-10758 https://github.com/ossf-cve-benchmark/CVE-2019-10758 https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215 •