CVE-2023-46498
Description
An issue in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information and execute arbitrary code via the /deleteCustomer/route.json file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
EverShop before v1.0.0-rc.8 has a broken function level authorization allowing unauthenticated attackers to delete customer accounts via a GraphQL endpoint.
Vulnerability
CVE-2023-46498 is a broken function level authorization vulnerability in EverShop, a TypeScript e-commerce platform, affecting versions before v1.0.0-rc.8. The issue resides in the route.json file, where a publicly accessible GraphQL endpoint allows unauthenticated requests to delete customer accounts [1][3].
Exploitation
An attacker can query the GraphQL schema to identify the 'Customer' object and obtain a user's UUID. Then, by sending a DELETE request to the unprotected endpoint, the attacker can delete that user account without any authentication [3]. The attack requires no special privileges or network position beyond internet access.
Impact
Successful exploitation results in the deletion of customer accounts, leading to loss of user data and potential disruption of service. This could damage customer trust and harm the platform's integrity.
Mitigation
The vulnerability was fixed in EverShop v1.0.0-rc.8 by requiring authentication with admin credentials to access the endpoint [3][4]. Users should upgrade to the latest version or apply the patch from pull request #342.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@evershop/evershopnpm | < 1.0.0-rc.8 | 1.0.0-rc.8 |
Affected products
2- EverShop/EverShop NPMdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-5mmr-9qx3-3pf9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46498ghsaADVISORY
- devhub.checkmarx.com/cve-details/Cx8b24ace3-0c9aghsaWEB
- devhub.checkmarx.com/cve-details/cve-2023-46498ghsaWEB
- github.com/evershopcommerce/evershop/pull/342ghsaWEB
- devhub.checkmarx.com/cve-details/Cx8b24ace3-0c9a/mitre
- devhub.checkmarx.com/cve-details/cve-2023-46498/mitre
News mentions
0No linked articles in our index yet.