EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1.1 fixes the issue.
An attacker sends a password reset request by providing the target email address of the victim. The server responds with the password reset token in the API response instead of sending it only to the account owner's email address. With this token, the attacker can set a new password and take control of the account. The attack requires no permissions or interaction from the victim's side.
An attacker can fully take over any user account on the platform, gaining unauthorized access to personal data, order history and administrative panel, as well as modify or delete data.
EverShop should be updated immediately to version 2.1.1, which eliminates the described vulnerability. The patch is available in the vendor's repository: https://github.com/evershopcommerce/evershop/releases/tag/v2.1.1
EverShop (e-commerce platform) in all versions prior to 2.1.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEvershop
APPEvershop< 2.1.1
Related vulnerabilities
Second-order SQL injection w EverShop podczas obsługi kategorii
Hardkodowany sekret HMAC w @evershop/evershop umożliwia fałszowanie tokenów JWT
RCE i ujawnienie danych w EverShop NPM przez plik route.json
A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaus...
EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via t...