CVE-2023-46943 — CRITICAL (9.1)

Vulnerability Description

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), allowing them access to important information and actions within the application.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Evershop	Evershop	1.0.0

Related Weaknesses (CWE)

CWE-798

References

https://advisory.checkmarx.net/advisory/CVE-2023-46943/
https://devhub.checkmarx.com/cve-details/CVE-2023-46943/Third Party Advisory
https://advisory.checkmarx.net/advisory/CVE-2023-46943/
https://devhub.checkmarx.com/cve-details/CVE-2023-46943/Third Party Advisory

FAQ

What is CVE-2023-46943?

CVE-2023-46943 is a vulnerability with a CVSS score of 9.1 (CRITICAL). An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because atta...

How severe is CVE-2023-46943?

CVE-2023-46943 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-46943?

Check the references section above for vendor advisories and patch information. Affected products include: Evershop Evershop.