An issue in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information and execute arbitrary code via the /deleteCustomer/route.json file.
The vulnerability is related to the /deleteCustomer/route.json file available in the EverShop application. A remote attacker can access this resource without authorization, which leads to disclosure of sensitive data and allows execution of arbitrary code on the server. The detailed mechanism of the vulnerability was not disclosed in the CVE description, however the CVSS vector indicates no requirements for permissions and user interaction.
An attacker can gain access to sensitive information stored in the application and execute arbitrary code on the server (RCE), which may result in complete takeover of the system.
EverShop NPM should be updated to version v.1.0.0-rc.8 or newer. Until the update is deployed, it is recommended to restrict access to the application at the firewall level and monitor network traffic for unauthorized requests to customer management endpoints.
EverShop NPM in versions before v.1.0.0-rc.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEvershop
APPEvershop1.0.0
Related vulnerabilities
EverShop: token resetowania hasła ujawniany w odpowiedzi API
Second-order SQL injection w EverShop podczas obsługi kategorii
Hardkodowany sekret HMAC w @evershop/evershop umożliwia fałszowanie tokenów JWT
A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaus...
EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via t...