GHSA-f5cv-xrv9-r8w7: 
JavaScript vulnerability analysis and mitigation

A high-severity NoSQL injection vulnerability was identified in express-cart versions 1.1.7 and earlier, tracked as GHSA-f5cv-xrv9-r8w7. The vulnerability was discovered on August 20, 2018, and published to the GitHub Advisory Database on September 1, 2020. This security issue affects both customer and admin login functionality in the express-cart npm package (GitHub Advisory).

The vulnerability stems from inadequate user input sanitization in the login handlers. Both customer and admin login endpoints are affected, where parameters from the JSON body are directly incorporated into MongoDB queries without proper sanitization. This allows attackers to inject MongoDB operators, particularly the $regex operator, which can be used to extract field values through blind injection techniques, similar to blind SQL injection attacks. The vulnerability has been assigned a CVSS score of 8.2 with the vector CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N and is categorized under CWE-89 (Security WG).

The vulnerability enables attackers to perform email enumeration through MongoDB injection in both customer and admin interfaces. This could potentially lead to unauthorized access to sensitive information and compromise of user accounts (GitHub Advisory).

Users are strongly recommended to update to express-cart version 1.1.8 or later, which contains the patch for this vulnerability. This version implements proper input sanitization to prevent NoSQL injection attacks (GitHub Advisory).