CVE-2023-46943: EverShop at risk to unauthorized access via weak HMAC secret

January 13, 2024 (updated November 18, 2024)

An issue was discovered in NPM’s package @evershop/evershop before version 1.0.0-rc.9. The HMAC secret used for generating tokens is hardcoded as “secret”. A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), allowing them access to important information and actions within the application.

References

advisory.checkmarx.net/advisory/CVE-2023-46943
devhub.checkmarx.com/cve-details/CVE-2023-46943
github.com/advisories/GHSA-32r3-57hp-cgfw
github.com/evershopcommerce/evershop
github.com/evershopcommerce/evershop/commit/96d9ca3e024e0b63c538911e4a914df3d287cc9f
nvd.nist.gov/vuln/detail/CVE-2023-46943

Detect and mitigate CVE-2023-46943 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →