CVE-2023-46495

Vulnerability

Overview

CVE-2023-46495 describes a reflected Cross-Site Scripting (XSS) vulnerability in the EverShop eCommerce platform, affecting all versions prior to v1.0.0-rc.8. The bug resides in the improper sanitization of the sortBy parameter. When an attacker supplies a second sortBy parameter in an HTTP request, the application reflects the value of the second parameter directly into the page's HTML without proper encoding or validation [1][3]. This fails to neutralize user input, allowing the injection of arbitrary JavaScript code.

Exploitation

Prerequisites

An attacker can exploit this vulnerability by crafting a URL containing a malicious sortBy parameter (e.g., ?sortBy=productId&sortBy=). The attack does not require authentication, as the vulnerability is triggered merely by a victim visiting the crafted link. No special network position is needed — the attack can be delivered via email, social media, or other channels [3].

Impact

Successful exploitation results in arbitrary JavaScript execution in the context of the victim's browser session on the EverShop application. This can lead to account takeover, session hijacking, exfiltration of sensitive data (such as customer information or credentials), and defacement. Because XSS allows the attacker to impersonate the user, the impact is considered high, especially on eCommerce sites handling personal and payment data [1][3].

Mitigation

The vulnerability has been fixed in EverShop version 1.0.0-rc.8. The fix was implemented in pull request #338 on the official GitHub repository, which introduced proper input sanitization and output encoding for the sortBy parameter [4]. Users are strongly advised to upgrade to the latest patched version immediately. No workarounds are documented; upgrading is the only complete mitigation [2][4].