CVE-2023-46495 in EverShop NPM
Summary
by MITRE • 12/08/2023
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/13/2025
The Cross Site Scripting vulnerability identified as CVE-2023-46495 affects the EverShop NPM package, specifically versions prior to v.1.0.0-rc.8. This security flaw represents a critical concern for web application developers and security professionals as it enables remote attackers to execute malicious scripts within the context of a victim's browser. The vulnerability manifests through improper input validation and sanitization mechanisms within the application's sorting functionality, particularly when processing the sortBy parameter. The affected system fails to adequately filter or escape user-supplied input, creating an avenue for attackers to inject malicious code that can be executed when other users view the affected pages.
The technical exploitation of this vulnerability occurs when an attacker crafts a malicious request containing script tags or other malicious payloads within the sortBy parameter. When the web application processes this parameter without proper sanitization, the injected code becomes part of the page's content and executes in the browser context of any user who views the affected page. This behavior aligns with CWE-79, which defines Cross Site Scripting as the improper handling of input data that allows attackers to inject client-side scripts into web applications. The vulnerability falls under the category of reflected XSS attacks where the malicious script is reflected off the web server back to the user, making it particularly dangerous as it can be delivered through various vectors including email links, chat messages, or compromised websites.
The operational impact of this vulnerability extends beyond simple script execution, as it can potentially lead to session hijacking, credential theft, and unauthorized access to sensitive user information. Attackers can leverage this vulnerability to steal session cookies, modify user data, or redirect victims to malicious websites that can harvest additional sensitive information. The attack vector requires minimal technical expertise and can be automated, making it particularly dangerous for applications that handle sensitive data or user authentication. The vulnerability affects the core functionality of the EverShop application's sorting mechanism, which is a fundamental feature for user experience and data presentation. This means that the attack surface is broad and can impact multiple user interactions across the application, potentially affecting customer data, order information, and other sensitive business-critical data.
Organizations using affected versions of the EverShop NPM package should immediately implement mitigations to address this vulnerability. The primary remediation involves updating to version v.1.0.0-rc.8 or later, which contains the necessary patches to prevent XSS injection through the sortBy parameter. Additionally, implementing proper input validation and output encoding mechanisms can provide defense-in-depth protection against similar vulnerabilities. Security measures should include implementing Content Security Policy headers, using proper HTML escaping for all dynamic content, and validating all user inputs against strict whitelists. The vulnerability demonstrates the importance of following secure coding practices as outlined in the OWASP Top Ten and aligns with ATT&CK technique T1203, which coversObtaining Application Access Tokens. Organizations should also conduct comprehensive security testing including dynamic application security testing and manual penetration testing to identify similar vulnerabilities in their web applications. The incident underscores the necessity of maintaining up-to-date dependencies and implementing robust security monitoring to detect and respond to potential exploitation attempts.