Lucene search

GitHub Advisory DatabaseGHSA-RWF3-W4JQ-F4CM

HistoryDec 08, 2023 - 9:30 p.m.

Directory Traversal in evershop

2023-12-0821:30:30

CWE-22

GitHub Advisory Database

github.com

directory traversal

remote attacker

sensitive information

crafted request

delete function

software

evershop

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

6.3 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

30.4%

JSON

Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the DELETE function in api/files endpoint.

Affected configurations

Vulners

Node

evershopevershopRange<1.0.0-rc.8beta4node.js

CPENameOperatorVersion
@evershop/evershoplt1.0.0-rc.8

CPE	Name	Operator	Version
	@evershop/evershop	lt	1.0.0-rc.8

References

devhub.checkmarx.com/cve-details/CVE-2023-46496/

devhub.checkmarx.com/cve-details/Cx943be66a-54cc/

github.com/advisories/GHSA-rwf3-w4jq-f4cm

github.com/evershopcommerce/evershop/pull/338

nvd.nist.gov/vuln/detail/CVE-2023-46496

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

6.3 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

30.4%

JSON

Related for GHSA-RWF3-W4JQ-F4CM