Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
EverShop Vulnerable to Arbitrary Customer Account Takeover via Exposure of Password Reset Token in API Response
Vulnerability Description
EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1.1 fixes the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
信息暴露
Vulnerability Title
EverShop 授权问题漏洞
Vulnerability Description
EverShop是EverShop开源的一个 NodeJS 电商平台。 EverShop 2.1.1之前版本存在授权问题漏洞,该漏洞源于忘记密码功能在API响应中返回密码重置令牌,可能导致账户接管。
CVSS Information
N/A
Vulnerability Type
N/A