Description
The express-cart package through 1.1.10 for Node.js allows Reflected XSS (for an admin) via a user input field for product options. NOTE: the vendor states that this "would rely on an admin hacking his/her own website.
Remediation
References
https://hackerone.com/reports/395944
Related Vulnerabilities
CVE-2022-0686 Vulnerability in npm package url-parse
CVE-2019-15603 Vulnerability in npm package seeftl
CVE-2016-7103 Vulnerability in maven package org.webjars.bower:jquery-ui
CVE-2014-0168 Vulnerability in maven package org.jolokia:jolokia-core
CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-flink-table