Express-Cart before 1.1.6 allows remote attackers to create an admin user via an /admin/setup
Referer header.
{ "nvd_published_at": "2018-06-15T14:29:00Z", "cwe_ids": [ "CWE-732" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-04-01T22:03:23Z" }