A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in improper control of resource identifiers.
The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is told to be difficult.
The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Evershop Evershop
cpe:2.3:a:evershop:evershop:*:*:*:*:*:node.js:*:*
|
— |
<= 2.0.1
|
References 5
https://github.com/ictrun/Evershop-Order-leak/blob/main/README.md
cna@vuldb.com
https://github.com/ictrun/Evershop-Order-leak/blob/main/README.md#attack-steps
cna@vuldb.com
https://vuldb.com/?ctiid.331639
cna@vuldb.com
https://vuldb.com/?id.331639
cna@vuldb.com
https://vuldb.com/?submit.680788
cna@vuldb.com