CVE-2023-46493: 
JavaScript vulnerability analysis and mitigation

A Directory Traversal vulnerability has been identified in EverShop NPM versions before v.1.0.0-rc.8, tracked as CVE-2023-46493. The vulnerability allows remote attackers to obtain sensitive information through a crafted request to the readDirSync function in fileBrowser/browser.js. This vulnerability was disclosed on December 8, 2023, and affects the EverShop web application framework (NVD, Checkmarx).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 5.3 (MEDIUM). The attack vector is network-based with low attack complexity, requiring no user interaction or privileges. The vulnerability specifically affects the readdirSync function in browser.js, which lacks proper input validation, allowing attackers to list all folders and files on the filesystem through the API endpoint '/api/files' (Checkmarx).

The exploitation of this vulnerability results in a confidentiality impact rated as LOW, with no impact on integrity or availability. The scope is unchanged, meaning the vulnerable component and impacted component are the same. The primary risk is unauthorized access to sensitive information through directory traversal (NVD).

The vulnerability has been fixed in EverShop NPM version 1.0.0-rc.8. Users are advised to upgrade to this version or later to mitigate the security risk (NVD).