CVE-2021-32573 - OpenCVE

The express-cart package through 1.1.10 for Node.js allows Reflected XSS (for an admin) via a user input field for product options. NOTE: the vendor states that this "would rely on an admin hacking his/her own website.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Express-cart Project	Express-cart

Configuration 1 [-]

cpe:2.3:a:express-cart_project:express-cart:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://hackerone.com/reports/395944	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-05-11T16:46:14

Updated: 2021-05-11T16:46:14

Reserved: 2021-05-11T00:00:00

Link: CVE-2021-32573

JSON object: View

NVD Information

Status : Modified

Published: 2021-05-11T17:15:07.690

Modified: 2024-05-17T01:57:34.943

Link: CVE-2021-32573

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:express-cart_project:express-cart:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "2697A321-5A68-4F7A-AA88-E46218C12C93", "versionEndIncluding": "1.1.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The express-cart package through 1.1.10 for Node.js allows Reflected XSS (for an admin) via a user input field for product options. NOTE: the vendor states that this \"would rely on an admin hacking his/her own website."}, {"lang": "es", "value": "** EN DISPUTA ** El paquete express-cart versiones hasta 1.1.10 para Node.js permite un ataque de tipo XSS Reflejado (para un administrador) por medio de un campo de entrada de usuario para las opciones del producto. NOTA: el proveedor afirma que esto \"depender\u00eda de que un hacking administrador pirateara su propio sitio web\""}], "id": "CVE-2021-32573", "lastModified": "2024-05-17T01:57:34.943", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-11T17:15:07.690", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/395944"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}