CVSS: 8.1EPSS: 1%CPEs: 3EXPL: 2CVE-2021-21422 – XSS Vulnerability in mongo-express
https://notcve.org/view.php?id=CVE-2021-21422
21 Jun 2021 — mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin interaction on cell. 2: Data cells identified as media will be rendered as media, without being sanitized. Example of different renders: image, audio, video, etc. As an example of type 1 attack, ... • https://github.com/mongo-express/mongo-express/commit/f5e0d4931f856f032f22664b5e5901d5950cfd4b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 90%CPEs: 1EXPL: 0CVE-2020-24391
https://notcve.org/view.php?id=CVE-2020-24391
30 Mar 2021 — mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769. mongo-express en versiones anteriores a la 1.0.0 ofrece soporte para cierta sintaxis avanzada pero lo implementa de una manera insegura. NOTA: esto puede superponerse a CVE-2019-10769. • https://github.com/mongo-express/mongo-express/commit/3a26b079e7821e0e209c3ee0cc2ae15ad467b91a •
CVSS: 9.9EPSS: 94%CPEs: 1EXPL: 4CVE-2019-10758 – MongoDB mongo-express Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-10758
24 Dec 2019 — mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment. mongo-express versiones anteriores a 0.54.0, es vulnerable a una ejecución de código remota por medio de endpoints que utilizan el método "toBSON". Un uso inapropiado de la dependencia "vm" para ejecutar comandos "exec" en un entorno no seguro. mongo-express before 0.54.0 is vulnerable to Remote Code Execution vi... • https://github.com/masahiro331/CVE-2019-10758 • CWE-94: Improper Control of Generation of Code ('Code Injection') •