What is CVE-2021-21422?

CVE-2021-21422 is a vulnerability in mongo-express, a web-based MongoDB admin interface, that allows clicking on a row to show a full document unescaped when the content of a cell grows larger than the supported size.

What is the severity of CVE-2021-21422?

The severity of CVE-2021-21422 is high with a CVSS score of 6.1.

How does CVE-2021-21422 affect mongo-express?

CVE-2021-21422 affects mongo-express versions up to and including 0.54.0, 1.0.0-alpha1, and 1.0.0-alpha3.

How can I fix CVE-2021-21422?

To fix CVE-2021-21422, update mongo-express to a version that includes the necessary patch.

Where can I find more information about CVE-2021-21422?

More information about CVE-2021-21422 can be found in the references: https://github.com/mongo-express/mongo-express/commit/f5e0d4931f856f032f22664b5e5901d5950cfd4b, https://github.com/mongo-express/mongo-express/issues/577, and https://github.com/mongo-express/mongo-express/security/advisories/GHSA-7p8h-86p5-wv3p.

Vulnerability/
CVE-2021-21422

high

8.1

CWE

21/6/2021

3/8/2024

CVE-2021-21422: XSS Vulnerability in mongo-express

First published: Mon Jun 21 2021(Updated: )

mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin interaction on cell. 2: Data cells identified as media will be rendered as media, without being sanitized. Example of different renders: image, audio, video, etc. As an example of type 1 attack, an unauthorized user who only can send a large amount of data in a field of a document may use a payload with embedded javascript. This could send an export of a collection to the attacker without even an admin knowing. Other types of attacks such as dropping a database\collection are possible.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Mongo-express Project Mongo-express	<=0.54.0
Mongo-express Project Mongo-express	=1.0.0-alpha1
Mongo-express Project Mongo-express	=1.0.0-alpha3

Remedy

https://github.com/mongo-express/mongo-express/commit/f5e0d4931f856f032f22664b5e5901d5950cfd4b

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-21422?
CVE-2021-21422 is a vulnerability in mongo-express, a web-based MongoDB admin interface, that allows clicking on a row to show a full document unescaped when the content of a cell grows larger than the supported size.
What is the severity of CVE-2021-21422?
The severity of CVE-2021-21422 is high with a CVSS score of 6.1.
How does CVE-2021-21422 affect mongo-express?
CVE-2021-21422 affects mongo-express versions up to and including 0.54.0, 1.0.0-alpha1, and 1.0.0-alpha3.
How can I fix CVE-2021-21422?
To fix CVE-2021-21422, update mongo-express to a version that includes the necessary patch.
Where can I find more information about CVE-2021-21422?
More information about CVE-2021-21422 can be found in the references: https://github.com/mongo-express/mongo-express/commit/f5e0d4931f856f032f22664b5e5901d5950cfd4b, https://github.com/mongo-express/mongo-express/issues/577, and https://github.com/mongo-express/mongo-express/security/advisories/GHSA-7p8h-86p5-wv3p.

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/severity
agent/remedy
agent/title
agent/weakness
agent/last-modified-date
agent/author
agent/references
agent/tags
agent/description
agent/first-publish-date
agent/event
vendor/mongo-express project
canonical/mongo-express project mongo-express
version/mongo-express project mongo-express/0.54.0
version/mongo-express project mongo-express/1.0.0-alpha1
version/mongo-express project mongo-express/1.0.0-alpha3