Vulnerability Details CVE-2018-12457
expressCart before 1.1.6 allows remote attackers to create an admin user via a /admin/setup Referer header.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 67.2%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
References
- https://github.com/mrvautin/expressCart/commit/baccaae9b0b72f00b10c5453ca00231340ad3e3b
- https://hackerone.com/reports/343626
- https://www.npmjs.com/package/express-cart?activeTab=versions
- https://github.com/mrvautin/expressCart/commit/baccaae9b0b72f00b10c5453ca00231340ad3e3b
- https://hackerone.com/reports/343626
- https://www.npmjs.com/package/express-cart?activeTab=versions
Products affected by CVE-2018-12457
-
cpe:2.3:a:expresscart_project:expresscart:0.0.1
-
cpe:2.3:a:expresscart_project:expresscart:1.0.1
-
cpe:2.3:a:expresscart_project:expresscart:1.1.1
-
cpe:2.3:a:expresscart_project:expresscart:1.1.2
-
cpe:2.3:a:expresscart_project:expresscart:1.1.3
-
cpe:2.3:a:expresscart_project:expresscart:1.1.4
-
cpe:2.3:a:expresscart_project:expresscart:1.1.5