CVE-2021-21422

Name of the Vulnerable Software and Affected Versions mongo-express versions prior to v1.0.0-alpha.4

Description The issue concerns a web-based MongoDB admin interface, where two types of XSS attacks are possible. When the content of a cell exceeds the supported size, clicking on a row will display the full document unescaped, but this requires admin interaction on the cell. Additionally, data cells identified as media are rendered as media without being sanitized, allowing for potential attacks. An unauthorized user can exploit this by sending a large amount of data in a field of a document, using a payload with embedded JavaScript to export a collection to the attacker without the admin's knowledge. Other types of attacks, such as dropping a database or collection, are also possible.

Recommendations For versions prior to v1.0.0-alpha.4, upgrade to v1.0.0-alpha.4 to resolve the issue. As a temporary workaround, consider restricting access to the affected interface until the upgrade is applied. Avoid using the interface to render media or large documents until the issue is resolved.