CVE-2023-46943
An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), allowing them access to important information and actions within the application.
| Software | From | Fixed in |
|---|---|---|
@evershop / evershop
|
- | 1.0.0-rc.9 |
| evershop / evershop | 1.0.0-beta2 | 1.0.0-beta2.x |
| evershop / evershop | 1.0.0-beta1 | 1.0.0-beta1.x |
| evershop / evershop | 1.0.0-beta | 1.0.0-beta.x |
| evershop / evershop | 1.0.0-rc3 | 1.0.0-rc3.x |
| evershop / evershop | 1.0.0-rc1 | 1.0.0-rc1.x |
| evershop / evershop | 1.0.0-rc2 | 1.0.0-rc2.x |
| evershop / evershop | 1.0.0-beta3 | 1.0.0-beta3.x |
| evershop / evershop | 1.0.0-beta4 | 1.0.0-beta4.x |
| evershop / evershop | 1.0.0-beta5 | 1.0.0-beta5.x |
| evershop / evershop | 1.0.0-rc5 | 1.0.0-rc5.x |
| evershop / evershop | 1.0.0-rc6 | 1.0.0-rc6.x |
| evershop / evershop | 1.0.0-rc7 | 1.0.0-rc7.x |
- https://advisory.checkmarx.net/advisory/CVE-2023-46943
- https://advisory.checkmarx.net/advisory/CVE-2023-46943/
- https://devhub.checkmarx.com/cve-details/CVE-2023-46943
- https://devhub.checkmarx.com/cve-details/CVE-2023-46943/
- https://github.com/evershopcommerce/evershop/commit/96d9ca3e024e0b63c538911e4a914df3d287cc9f
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime