Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/express-cart@1.1.8
Typenpm
Namespace
Nameexpress-cart
Version1.1.8
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-145a-97vu-jyeg
vulnerability_id VCID-145a-97vu-jyeg
summary 
Cross-Site Request Forgery (CSRF)
The express-cart package for Node.js allows CSRF.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-22403
reference_id
reference_type
scores
0
value 0.00141
scoring_system epss
scoring_elements 0.34031
published_at 2026-06-05T12:55:00Z
1
value 0.00141
scoring_system epss
scoring_elements 0.34002
published_at 2026-06-09T12:55:00Z
2
value 0.00141
scoring_system epss
scoring_elements 0.3398
published_at 2026-06-08T12:55:00Z
3
value 0.00141
scoring_system epss
scoring_elements 0.34013
published_at 2026-06-07T12:55:00Z
4
value 0.00141
scoring_system epss
scoring_elements 0.34045
published_at 2026-06-06T12:55:00Z
5
value 0.00141
scoring_system epss
scoring_elements 0.33929
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-22403
1
reference_url https://github.com/mrvautin/expressCart
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mrvautin/expressCart
2
reference_url https://github.com/mrvautin/expressCart/commit/cd3ba1bc609c2f2946bfbc7ee2fccf3483eb71fb
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mrvautin/expressCart/commit/cd3ba1bc609c2f2946bfbc7ee2fccf3483eb71fb
3
reference_url https://github.com/mrvautin/expressCart/issues/120
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mrvautin/expressCart/issues/120
4
reference_url https://hackerone.com/reports/395944
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/395944
5
reference_url https://security.netapp.com/advisory/ntap-20210909-0004
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210909-0004
6
reference_url https://security.netapp.com/advisory/ntap-20210909-0004/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210909-0004/
7
reference_url https://www.npmjs.com/package/express-cart
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/express-cart
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-22403
reference_id CVE-2020-22403
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-22403
9
reference_url https://github.com/advisories/GHSA-h5q8-5697-9p9h
reference_id GHSA-h5q8-5697-9p9h
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h5q8-5697-9p9h
fixed_packages
0
url pkg:npm/express-cart@1.1.11
purl pkg:npm/express-cart@1.1.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-eb7w-y953-67dy
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/express-cart@1.1.11
1
url pkg:npm/express-cart@1.1.17
purl pkg:npm/express-cart@1.1.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-eb7w-y953-67dy
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/express-cart@1.1.17
aliases CVE-2020-22403, GHSA-h5q8-5697-9p9h
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-145a-97vu-jyeg
1
url VCID-eb7w-y953-67dy
vulnerability_id VCID-eb7w-y953-67dy
summary Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in express-cart.
references
0
reference_url https://hackerone.com/reports/395944
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/395944
1
reference_url https://www.npmjs.com/advisories/808
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/808
2
reference_url https://github.com/advisories/GHSA-9pr3-7449-977r
reference_id GHSA-9pr3-7449-977r
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9pr3-7449-977r
fixed_packages
aliases GHSA-9pr3-7449-977r, GMS-2020-716
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-eb7w-y953-67dy
2
url VCID-wx6w-8yww-v3em
vulnerability_id VCID-wx6w-8yww-v3em
summary 
Cross-site Scripting
(This issue is currently in DISPUTED state). The express-cart package for Node.js allows Reflected XSS (for an admin) via a user input field for product options. The vendor states that this "would rely on an admin hacking his/her own website."
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-32573
reference_id
reference_type
scores
0
value 0.00212
scoring_system epss
scoring_elements 0.43704
published_at 2026-06-04T12:55:00Z
1
value 0.00212
scoring_system epss
scoring_elements 0.43774
published_at 2026-06-05T12:55:00Z
2
value 0.00212
scoring_system epss
scoring_elements 0.43784
published_at 2026-06-06T12:55:00Z
3
value 0.00212
scoring_system epss
scoring_elements 0.43761
published_at 2026-06-07T12:55:00Z
4
value 0.00212
scoring_system epss
scoring_elements 0.43726
published_at 2026-06-08T12:55:00Z
5
value 0.00212
scoring_system epss
scoring_elements 0.43736
published_at 2026-06-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-32573
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-32573
reference_id CVE-2021-32573
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-32573
fixed_packages
0
url pkg:npm/express-cart@1.1.11
purl pkg:npm/express-cart@1.1.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-eb7w-y953-67dy
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/express-cart@1.1.11
aliases CVE-2021-32573
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wx6w-8yww-v3em
Fixing_vulnerabilities
0
url VCID-atgx-r2qy-8ufe
vulnerability_id VCID-atgx-r2qy-8ufe
summary 
NoSQL injection in express-cart
Versions of `express-cart` before 1.1.8 are vulnerable to NoSQL injection. 

The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators. 

These operators can be used to extract the value of the field blindly in the same manner of a blind SQL injection. In this case, the `$regex` operator is used to guess each character of the token from the start.


## Recommendation

Update to version 1.1.8 or later.
references
0
reference_url https://github.com/nodejs/security-wg
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/security-wg
1
reference_url https://github.com/nodejs/security-wg/blob/master/vuln/npm/472.json
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nodejs/security-wg/blob/master/vuln/npm/472.json
2
reference_url https://hackerone.com/reports/397445
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/397445
3
reference_url https://www.npmjs.com/advisories/724
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/724
4
reference_url https://github.com/advisories/GHSA-f5cv-xrv9-r8w7
reference_id GHSA-f5cv-xrv9-r8w7
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f5cv-xrv9-r8w7
fixed_packages
0
url pkg:npm/express-cart@1.1.8
purl pkg:npm/express-cart@1.1.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-145a-97vu-jyeg
1
vulnerability VCID-eb7w-y953-67dy
2
vulnerability VCID-wx6w-8yww-v3em
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/express-cart@1.1.8
aliases GHSA-f5cv-xrv9-r8w7, GMS-2020-717
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-atgx-r2qy-8ufe
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/express-cart@1.1.8