CVE-2023-46496: 
JavaScript vulnerability analysis and mitigation

A Directory Traversal vulnerability (CVE-2023-46496) was discovered in EverShop NPM versions before v.1.0.0-rc.8. The vulnerability exists in the DELETE function of the api/files endpoint, which allows remote attackers to obtain sensitive information via crafted requests. The vulnerability was disclosed on December 8, 2023, and affects all EverShop NPM versions prior to version 1.0.0-rc.8 (NVD, Checkmarx Advisory).

The vulnerability stems from missing input validation in the 'unlinkSync' function within 'deleteFile.js'. This security flaw enables arbitrary file deletion across the filesystem through the '/api/files' endpoint that accepts DELETE requests. The vulnerability has been assigned a CVSS v3.1 base score of 8.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD, Checkmarx Advisory).

The vulnerability allows attackers to perform arbitrary file deletion across the filesystem, potentially leading to system compromise. The CVSS scoring indicates high impacts on both integrity and availability of the system, with some impact on confidentiality. The attack complexity is considered low, requiring only network access and low privileges to exploit (Checkmarx Advisory).

Users should upgrade to EverShop NPM version 1.0.0-rc.8 or later to address this vulnerability (NVD).