@evershop/evershop
npm10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting @evershop/evershoppage 1 of 1
- CVE-2023-46493MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.0.0-rc.82023-12-08
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the readDirSync function in fileBrowser/browser.js.
- CVE-2023-46494MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.0.0-rc.52023-12-08
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted request to the ProductGrid function in admin/productGrid/Grid.jsx.
- CVE-2023-46495MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.0.0-rc.82023-12-08
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter.
- CVE-2023-46496HIGHCVSS 8.3EG 8.3✓ Fixed in 1.0.0-rc.82023-12-08
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the DELETE function in api/files endpoint.
- CVE-2023-46497MEDIUMCVSS 5.4EG 5.4✓ Fixed in 1.0.0-rc.82023-12-08
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the mkdirSync function in the folderCreate/createFolder.js endpoint.
- CVE-2023-46498CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.0.0-rc.82023-12-08
An issue in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information and execute arbitrary code via the /deleteCustomer/route.json file.
- CVE-2023-46499MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.0.0-rc.52023-12-08
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted scripts to the Admin Panel.
- CVE-2023-46942HIGHCVSS 7.5EG 7.5✓ Fixed in 1.0.0-rc.92024-01-13
Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.8, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints.
- CVE-2023-46943CRITICALCVSS 9.1EG 9.1✓ Fixed in 1.0.0-rc.92024-01-13
An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to…
- CVE-2025-12919LOWCVSS 3.7EG 3.72025-11-09
A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in impr…
Check whether @evershop/evershop is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @evershop/evershop CVEs against the assets you own.
Start Free Scan →