CVE-2023-46498: 
JavaScript vulnerability analysis and mitigation

An issue in EverShop NPM versions before v.1.0.0-rc.8 was discovered that allows remote attackers to obtain sensitive information and execute arbitrary code. The vulnerability affects the /deleteCustomer/route.json file and was disclosed on December 8, 2023. The issue has been assigned CVE-2023-46498 and received a CVSS v3.1 base score of 9.8 (CRITICAL) (NVD).

The vulnerability is classified as a Broken Function Level Authorization issue in the route.json file. Unauthenticated attackers can exploit this vulnerability through a publicly accessible GraphQL endpoint. The attack can be chained with another vulnerability in the GraphQL schema, where attackers first query the schema to identify the Customer object and obtain the relevant uuid of a user. Subsequently, they can send a DELETE request to the unprotected endpoint, resulting in successful deletion of user accounts. The attack complexity is rated as LOW, requiring no user interaction or special privileges (Checkmarx Advisory).

The vulnerability has severe impacts on system security. It allows attackers to execute arbitrary code and obtain sensitive information. According to the CVSS metrics, the vulnerability has HIGH impact on availability and integrity, potentially affecting system operations and data integrity. The scope is rated as UNCHANGED, meaning the vulnerable component and the impacted component are the same (NVD).

The vulnerability has been fixed in EverShop NPM version 1.0.0-rc.8. The fix involves closing public access to the endpoint, requiring users to be authenticated with 'admin' credentials to make requests. Organizations using affected versions should upgrade to the patched version immediately (Checkmarx Advisory).