CVE-2023-46943

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), allowing them access to important information and actions within the application.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
VendorProductVersion
evershopevershop
1.0.0:beta
evershopevershop
1.0.0:beta1
evershopevershop
1.0.0:beta2
evershopevershop
1.0.0:beta3
evershopevershop
1.0.0:beta4
evershopevershop
1.0.0:beta5
evershopevershop
1.0.0:rc1
evershopevershop
1.0.0:rc2
evershopevershop
1.0.0:rc3
evershopevershop
1.0.0:rc5
evershopevershop
1.0.0:rc6
evershopevershop
1.0.0:rc7
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://advisory.checkmarx.net/advisory/CVE-2023-46943/
https://devhub.checkmarx.com/cve-details/CVE-2023-46943/
https://advisory.checkmarx.net/advisory/CVE-2023-46943/
https://devhub.checkmarx.com/cve-details/CVE-2023-46943/