CVE-2023-46498
📋 TL;DR
A critical vulnerability in EverShop NPM versions before 1.0.0-rc.8 allows remote attackers to access sensitive information and execute arbitrary code via the /deleteCustomer/route.json endpoint. This affects all EverShop deployments using vulnerable versions, potentially compromising entire systems. Attackers can exploit this without authentication to gain full control.
💻 Affected Systems
- EverShop
📦 What is this software?
Evershop by Evershop
Evershop by Evershop
Evershop by Evershop
Evershop by Evershop
Evershop by Evershop
Evershop by Evershop
Evershop by Evershop
Evershop by Evershop
Evershop by Evershop
Evershop by Evershop
Evershop by Evershop
Evershop by Evershop
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with remote code execution leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Unauthorized access to sensitive customer data and limited code execution within the application context.
If Mitigated
Attack blocked at network perimeter or application firewall; no impact with proper input validation and access controls.
🎯 Exploit Status
Exploitation appears straightforward via crafted requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.0-rc.8 and later
Vendor Advisory: https://devhub.checkmarx.com/cve-details/cve-2023-46498/
Restart Required: Yes
Instructions:
1. Update EverShop to version 1.0.0-rc.8 or later using npm update. 2. Restart the EverShop application. 3. Verify the update was successful.
🔧 Temporary Workarounds
Block Vulnerable Endpoint
allUse web application firewall or reverse proxy to block access to /deleteCustomer/route.json
# Example nginx config: location ~ ^/deleteCustomer/route\.json$ { deny all; }
# Example Apache: <Location "/deleteCustomer/route.json"> Require all denied </Location>
Network Segmentation
linuxRestrict network access to EverShop administration interfaces
# Use firewall rules to limit source IPs
iptables -A INPUT -p tcp --dport [EverShop-port] -s [trusted-IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [EverShop-port] -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure
- Deploy web application firewall with specific rules blocking the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check package.json for EverShop version; if version is below 1.0.0-rc.8, system is vulnerable.Check Version:
npm list evershop | grep evershopVerify Fix Applied:
Confirm EverShop version is 1.0.0-rc.8 or higher and test that /deleteCustomer/route.json endpoint is properly secured.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /deleteCustomer/route.json
- Multiple failed authentication attempts followed by successful access to the endpoint
- Unexpected process execution or file modifications
Network Indicators:
- HTTP requests to /deleteCustomer/route.json with suspicious parameters
- Unusual outbound connections from EverShop server
SIEM Query:
source="webserver" AND (uri="/deleteCustomer/route.json" OR uri="/deleteCustomer/route.json*")