PT-2025-45581 · Evershop · Evershop
Ictrun
+1
·
Published
2025-11-09
·
Updated
2025-12-11
·
CVE-2025-12919
CVSS v3.1
3.7
Low
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
EverShop versions up to 2.0.1
Description
A flaw exists in EverShop related to improper control of resource identifiers. The issue is located in an unknown function within the
/src/modules/oms/graphql/types/Order/Order.resolvers.js file of the Order Handler component. Manipulation of the uuid argument can trigger the issue. The attack can be performed remotely and is considered to have high complexity and difficult exploitability. The exploit is publicly available. The vendor was contacted but did not respond.Recommendations
Versions prior to 2.0.1 should be updated.
Exploit
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Evershop