Mongo Expressproject Mongo Express
By the Year
In 2024 there have been 0 vulnerabilities in Mongo Expressproject Mongo Express . Mongo Express did not have any published security vulnerabilities last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 0 | 0.00 |
2023 | 0 | 0.00 |
2022 | 0 | 0.00 |
2021 | 3 | 7.80 |
2020 | 0 | 0.00 |
2019 | 1 | 9.90 |
2018 | 0 | 0.00 |
It may take a day or so for new Mongo Express vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mongo Expressproject Mongo Express Security Vulnerabilities
mongo-express is a web-based MongoDB admin interface, written with Node.js and express
CVE-2021-21422
6.1 - Medium
- June 21, 2021
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin interaction on cell. 2: Data cells identified as media will be rendered as media, without being sanitized. Example of different renders: image, audio, video, etc. As an example of type 1 attack, an unauthorized user who only can send a large amount of data in a field of a document may use a payload with embedded javascript. This could send an export of a collection to the attacker without even an admin knowing. Other types of attacks such as dropping a database\collection are possible.
XSS
All versions of package mongo-express are vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV
CVE-2021-23372
7.5 - High
- April 13, 2021
All versions of package mongo-express are vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash.
Improper Check for Unusual or Exceptional Conditions
mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way
CVE-2020-24391
9.8 - Critical
- March 30, 2021
mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769.
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method
CVE-2019-10758
9.9 - Critical
- December 24, 2019
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Mongo Expressproject Mongo Express or by Mongo Expressproject? Click the Watch button to subscribe.