Lucene search

GoogleOSV:GHSA-7443-5962-WP4R

HistoryDec 08, 2023 - 9:30 p.m.

Directory Traversal in evershop

2023-12-0821:30:30

Google

osv.dev

directory traversal

evershop

npm

vulnerability

remote attacker

sensitive information

crafted request

mkdirsync function

foldercreate

createfolder.js

endpoint

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

6.3

Confidence

Low

EPSS

0.001

Percentile

17.6%

JSON

Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the mkdirSync function in the folderCreate/createFolder.js endpoint.

References

devhub.checkmarx.com/cve-details/CVE-2023-46497

devhub.checkmarx.com/cve-details/Cx16846793-56b6

github.com/evershopcommerce/evershop

github.com/evershopcommerce/evershop/pull/338

nvd.nist.gov/vuln/detail/CVE-2023-46497

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

6.3

Confidence

Low

EPSS

0.001

Percentile

17.6%

JSON

Related for OSV:GHSA-7443-5962-WP4R