Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-1767

The Snyk Advisor website (https://snyk.io/advisor/) was vulnerable to a stored XSS prior to 28th March 2023. A feature of Snyk Advisor is to display the contents of a scanned package's Readme on its package health page. An attacker could create a package in NPM with an associated markdown README file containing XSS-able HTML tags. Upon Snyk Advisor importing the package, the XSS would run each time an end user browsed to the package's page on Snyk Advisor.

Published

2023-04-20T10:15:07.433

Last Modified

2024-11-21T07:39:52.033

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-79
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	snyk	advisor	< 2023-03-28	Yes

References

https://support.snyk.io/hc/en-us/articles/10146704933405 Vendor Advisory ([email protected])
https://weizman.github.io/2023/04/10/snyk-xss/ Exploit, Third Party Advisory ([email protected])
https://support.snyk.io/hc/en-us/articles/10146704933405 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://weizman.github.io/2023/04/10/snyk-xss/ Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)