Wiz
Vulnerability DatabaseCVE-2020-22403

CVE-2020-22403
JavaScript vulnerability analysis and mitigation

Overview

Cross Site Request Forgery (CSRF) vulnerability was discovered in Express cart v1.1.16, affecting the application's administrative functions. The vulnerability was identified and assigned CVE-2020-22403. The issue allows attackers to perform unauthorized administrative actions including adding administrator accounts and discount codes (MITRE CVE).

Technical details

The vulnerability exists because the API admin functionality only checks session parameters without implementing proper CSRF protections. The express-cart package through version 1.1.10 for Node.js is affected by this CSRF vulnerability. The severity is rated as HIGH with a CVSS v3.1 Base Score of 8.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD).

Impact

The vulnerability allows attackers to perform unauthorized administrative actions including creating administrator accounts and adding discount codes. This could lead to complete compromise of administrative functions and potential unauthorized access to the application (MITRE CVE, GitHub Issue).

Mitigation and workarounds

Users should upgrade to a version newer than v1.1.16 that includes CSRF protections. The vulnerability was reported through GitHub issues and acknowledged by the project maintainers (GitHub Issue).

Additional resources

SourceThis report was generated using AI

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-22610HIGH8.5
  • JavaScriptJavaScript
  • angular.js
NoYesJan 10, 2026
CVE-2026-22595HIGH8.1
  • JavaScriptJavaScript
  • ghost
NoYesJan 10, 2026
CVE-2026-22594HIGH8.1
  • JavaScriptJavaScript
  • ghost
NoYesJan 10, 2026
CVE-2026-22596MEDIUM6.7
  • JavaScriptJavaScript
  • ghost
NoYesJan 10, 2026
CVE-2026-22597LOW2
  • JavaScriptJavaScript
  • ghost
NoYesJan 10, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo