Name of the Vulnerable Software and Affected Versions express-cart versions prior to 1.1.8

Description The issue is caused by the lack of user input sanitization in the login handlers, allowing NoSQL injection. Specifically, parameters from the JSON body are sent directly into the MongoDB query, enabling the insertion of operators. These operators can be used to extract field values, similar to blind SQL injection, with the $regex operator being used to guess each character of a token.

Recommendations Update to version 1.1.8 or later.