Jafar Akhondali

**Name of the Vulnerable Software and Affected Versions** mongo-express versions prior to v1.0.0-alpha.4 **Description** The issue concerns a web-based MongoDB admin interface, where two types of XSS attacks are possible. When the content of a cell exceeds the supported size, clicking on a row will display the full document unescaped, but this requires admin interaction on the cell. Additionally, data cells identified as media are rendered as media without being sanitized, allowing for potential attacks. An unauthorized user can exploit this by sending a large amount of data in a field of a document, using a payload with embedded JavaScript to export a collection to the attacker without the admin's knowledge. Other types of attacks, such as dropping a database or collection, are also possible. **Recommendations** For versions prior to v1.0.0-alpha.4, upgrade to v1.0.0-alpha.4 to resolve the issue. As a temporary workaround, consider restricting access to the affected interface until the upgrade is applied. Avoid using the interface to render media or large documents until the issue is resolved.