Improper Authorization

Summary

A Broken Function Level Authorization vulnerability in the "route.json" file of the EverShop web application in versions prior to 1.0.0-rc.8 allows unauthenticated attackers to delete customer accounts through a publicly accessible GraphQL endpoint. Attackers can chain this with another vulnerability found in the GraphQL schema, first by querying the schema to identify the "Customer" object and get the relevant "uuid" of a user. Then the attackers are able to send a DELETE request to the unprotected endpoint, resulting in the successful deletion of the user account. This was fixed by closing public access to the endpoint so it requires users to be authenticated with 'admin' credentials in order to request it.