CVE-2023-46943
Severity CVSS v4.0:
Pending analysis
Type:
CWE-798
Use of Hard-coded Credentials
Publication date:
13/01/2024
Last modified:
30/08/2024
Description
An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), allowing them access to important information and actions within the application.
Impact
Base Score 3.x
9.10
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:evershop:evershop:1.0.0:beta:*:*:*:node.js:*:* | ||
| cpe:2.3:a:evershop:evershop:1.0.0:beta1:*:*:*:node.js:*:* | ||
| cpe:2.3:a:evershop:evershop:1.0.0:beta2:*:*:*:node.js:*:* | ||
| cpe:2.3:a:evershop:evershop:1.0.0:beta3:*:*:*:node.js:*:* | ||
| cpe:2.3:a:evershop:evershop:1.0.0:beta4:*:*:*:node.js:*:* | ||
| cpe:2.3:a:evershop:evershop:1.0.0:beta5:*:*:*:node.js:*:* | ||
| cpe:2.3:a:evershop:evershop:1.0.0:rc1:*:*:*:node.js:*:* | ||
| cpe:2.3:a:evershop:evershop:1.0.0:rc2:*:*:*:node.js:*:* | ||
| cpe:2.3:a:evershop:evershop:1.0.0:rc3:*:*:*:node.js:*:* | ||
| cpe:2.3:a:evershop:evershop:1.0.0:rc5:*:*:*:node.js:*:* | ||
| cpe:2.3:a:evershop:evershop:1.0.0:rc6:*:*:*:node.js:*:* | ||
| cpe:2.3:a:evershop:evershop:1.0.0:rc7:*:*:*:node.js:*:* |
To consult the complete list of CPE names with products and versions, see this page