Search
Search Results (12 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-28213 | 1 Evershop | 1 Evershop | 2026-02-27 | 9.8 Critical |
| EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1.1 fixes the issue. | ||||
| CVE-2025-12919 | 1 Evershop | 1 Evershop | 2026-02-24 | 3.7 Low |
| A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-25993 | 1 Evershop | 1 Evershop | 2026-02-23 | 9.8 Critical |
| EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds path / request_path values—derived from the url_key stored in the database—into SQL statements via string concatenation and passes them to execute(). As a result, if a malicious string is stored in url_key , subsequent event processing modifies and executes the SQL statement, leading to a second-order SQL injection. Patched from v2.1.1. | ||||
| CVE-2023-46942 | 1 Evershop | 1 Evershop | 2025-06-03 | 7.5 High |
| Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.8, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints. | ||||
| CVE-2023-46494 | 1 Evershop | 1 Evershop | 2025-05-27 | 6.1 Medium |
| Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted request to the ProductGrid function in admin/productGrid/Grid.jsx. | ||||
| CVE-2023-46499 | 1 Evershop | 1 Evershop | 2024-11-26 | 6.1 Medium |
| Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted scripts to the Admin Panel. | ||||
| CVE-2023-46943 | 1 Evershop | 1 Evershop | 2024-11-21 | 9.1 Critical |
| An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), allowing them access to important information and actions within the application. | ||||
| CVE-2023-46498 | 1 Evershop | 1 Evershop | 2024-11-21 | 9.8 Critical |
| An issue in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information and execute arbitrary code via the /deleteCustomer/route.json file. | ||||
| CVE-2023-46497 | 1 Evershop | 1 Evershop | 2024-11-21 | 5.4 Medium |
| Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the mkdirSync function in the folderCreate/createFolder.js endpoint. | ||||
| CVE-2023-46496 | 1 Evershop | 1 Evershop | 2024-11-21 | 8.3 High |
| Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the DELETE function in api/files endpoint. | ||||
| CVE-2023-46495 | 1 Evershop | 1 Evershop | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter. | ||||
| CVE-2023-46493 | 1 Evershop | 1 Evershop | 2024-11-21 | 5.3 Medium |
| Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the readDirSync function in fileBrowser/browser.js. | ||||
Page 1 of 1.