CVE-2018-12457

Description

Express-Cart before 1.1.6 allows remote attackers to create an admin user via an `/admin/setup` Referer header.

Affected packages (1)

• npm/express-cartfrom 0, < 1.1.6

CVSS scores

References (8)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-12457
• PATCHhttps://github.com/mrvautin/expressCart
• WEBhttps://github.com/mrvautin/expressCart/commit/baccaae9b0b72f00b10c5453ca00231340ad3e3b
• WEBhttps://github.com/nodejs/security-wg/blob/main/vuln/npm/469.json
• WEBhttps://hackerone.com/reports/343626
• WEBhttps://snyk.io/vuln/npm:express-cart:20180712
• WEBhttps://www.npmjs.com/advisories/730
• WEBhttps://www.npmjs.com/package/express-cart?activeTab=versions