CRITICAL🇵🇱 Wersja polska

CVE-2023-46498

CVSS 9.8v3.1pub. 2023-12-08upd. 2024-11-21

An issue in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information and execute arbitrary code via the /deleteCustomer/route.json file.

🤖 AI Analysis
How it works

The vulnerability is related to the /deleteCustomer/route.json file available in the EverShop application. A remote attacker can access this resource without authorization, which leads to disclosure of sensitive data and allows execution of arbitrary code on the server. The detailed mechanism of the vulnerability was not disclosed in the CVE description, however the CVSS vector indicates no requirements for permissions and user interaction.

Impact

An attacker can gain access to sensitive information stored in the application and execute arbitrary code on the server (RCE), which may result in complete takeover of the system.

Mitigation & patch

EverShop NPM should be updated to version v.1.0.0-rc.8 or newer. Until the update is deployed, it is recommended to restrict access to the application at the firewall level and monitor network traffic for unauthorized requests to customer management endpoints.

Who is affected

EverShop NPM in versions before v.1.0.0-rc.8

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Evershop

    APP
    Evershop
    1.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-28213CRITICAL9.8PL ✓ten sam produkt

EverShop: token resetowania hasła ujawniany w odpowiedzi API

CVE-2026-25993CRITICAL9.3PL ✓ten sam produkt

Second-order SQL injection w EverShop podczas obsługi kategorii

CVE-2023-46943CRITICAL9.1PL ✓ten sam produkt

Hardkodowany sekret HMAC w @evershop/evershop umożliwia fałszowanie tokenów JWT

CVE-2025-67419HIGH7.5ten sam produkt

A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaus...

CVE-2025-65844HIGH7.5ten sam produkt

EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via t...