Description
The express-cart package through 1.1.10 for Node.js allows Reflected XSS (for an admin) via a user input field for product options. NOTE: the vendor states that this "would rely on an admin hacking his/her own website.
Remediation
References
https://hackerone.com/reports/395944
Related Vulnerabilities
CVE-2019-10767 Vulnerability in npm package iobroker.js-controller
CVE-2020-28482 Vulnerability in npm package fastify-csrf
CVE-2021-32621 Vulnerability in maven package org.xwiki.platform:xwiki-platform-dashboard-macro
CVE-2020-36187 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2020-26939 Vulnerability in maven package org.bouncycastle:bcprov-jdk14