CVE-2023-46497

Vulnerability

CVE-2023-46497 is a directory traversal vulnerability in EverShop, a TypeScript e-commerce platform, affecting versions prior to v1.0.0-rc.8. The root cause is missing input validation in the mkdirSync function within the folderCreate/createFolder.js endpoint, which allows a remote attacker to use '../' sequences in a crafted request to navigate outside the intended directory [1][3].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted request to the folder creation feature, typically used when adding an image to a product's 'Description' field. The attack requires network access and high privileges (e.g., being an authenticated user with file upload capabilities), but no user interaction is needed. By supplying a path containing relative path traversal sequences like ../, the attacker can cause the application to create folders in arbitrary locations on the server [3].

Impact

The vulnerability allows an attacker to create folders in unintended locations, potentially affecting system processes or other applications. While the CVE description and references specify that this can lead to obtaining sensitive information [1], the Checkmarx analysis also notes that folder creation outside the intended scope may impact system integrity. The CVSS vector indicates no direct confidentiality or availability impact, but integrity impact is rated as low, and the scope is changed, meaning the vulnerable component impacts resources beyond its security scope [3].

Mitigation

EverShop patched this vulnerability in version 1.0.0-rc.8. The fix was implemented in a pull request that addressed the missing input validation [4]. Users are strongly advised to upgrade to the latest version to mitigate the risk of directory traversal attacks. No workarounds are documented, and as of the publication date, the CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.