CVE-2023-46494

Vulnerability

Overview

CVE-2023-46494 is a Reflected Cross-Site Scripting (XSS) vulnerability in the EverShop e-commerce platform, affecting NPM versions before v.1.0.0-rc.5. The vulnerability resides in the ProductGrid function within the admin panel (admin/productGrid/Grid.jsx). By crafting a request with malicious JavaScript embedded in input fields such as "Product Name" or "SKU," an attacker can inject arbitrary scripts that execute when an administrator views the product grid [1][3].

Attack

Vector and Prerequisites

An attacker does not require prior authentication to the admin panel to exploit this flaw. The attack is carried out by sending a specially crafted URL or form submission containing malicious code in the product search parameters. When an admin user loads the product grid, the injected script is rendered without proper sanitization, leading to execution in the context of the admin's session [3]. This is a classic case of improper neutralization of input during web page generation (CWE-79) [3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of the logged-in administrator. This can lead to session hijacking, account takeover, data exfiltration, or further compromise of the admin panel. The vulnerability could be weaponized to install persistent backdoors or deface the storefront [3].

Mitigation and

Patch

The EverShop project released a fix in version 1.0.0-rc.5. Users of earlier versions should update immediately to mitigate the risk. The reference to a GitHub pull request [4] indicates that the code changes were merged to address the XSS vectors in the ProductGrid component. No workarounds are documented; upgrading to the patched version is the recommended action.