Skip to main content

Improper Authorization


Severity High
Score 9.1/10


A Broken Function Level Authorization vulnerability in the "route.json" file of the EverShop web application in versions prior to 1.0.0-rc.8 allows unauthenticated attackers to delete customer accounts through a publicly accessible GraphQL endpoint. Attackers can chain this with another vulnerability found in the GraphQL schema, first by querying the schema to identify the "Customer" object and get the relevant "uuid" of a user. Then the attackers are able to send a DELETE request to the unprotected endpoint, resulting in the successful deletion of the user account. This was fixed by closing public access to the endpoint so it requires users to be authenticated with 'admin' credentials in order to request it.

  • LOW
  • HIGH
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-285 - Improper Authorization

The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Advisory Timeline

  • Published