CVE-2023-46495: 
JavaScript vulnerability analysis and mitigation

Cross Site Scripting (XSS) vulnerability was discovered in EverShop NPM versions before v.1.0.0-rc.8. The vulnerability was disclosed on December 8, 2023, and affects the EverShop web application package (@evershop/evershop). The vulnerability allows remote attackers to obtain sensitive information through a crafted request to the sortBy parameter (NVD).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) vulnerability with a CVSS v3.1 base score of 6.1 (Medium). The attack complexity is LOW, requiring network access and user interaction but no privileges. The vulnerability occurs when attackers add a second 'sortBy' parameter to the request, which returns the second 'sortBy' value in the page's code, potentially enabling the successful execution of XSS payloads. The vulnerability has been assigned CWE-79 (Improper Neutralization of Input During Web Page Generation) (Checkmarx).

The exploitation of this vulnerability can lead to sensitive information disclosure and potential account takeover. The vulnerability has LOW confidentiality and integrity impact, with NO impact on availability. Due to the CHANGED scope, the impact may extend beyond the vulnerable component (Checkmarx).

The vulnerability has been patched in EverShop NPM version 1.0.0-rc.8. Users are advised to upgrade to this version or later to mitigate the risk (NVD).