Vulnerability Description
The Snyk Advisor website (https://snyk.io/advisor/) was vulnerable to a stored XSS prior to 28th March 2023. A feature of Snyk Advisor is to display the contents of a scanned package's Readme on its package health page. An attacker could create a package in NPM with an associated markdown README file containing XSS-able HTML tags. Upon Snyk Advisor importing the package, the XSS would run each time an end user browsed to the package's page on Snyk Advisor.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Snyk | Advisor | < 2023-03-28 |
Related Weaknesses (CWE)
References
- https://support.snyk.io/hc/en-us/articles/10146704933405Vendor Advisory
- https://weizman.github.io/2023/04/10/snyk-xss/ExploitThird Party Advisory
- https://support.snyk.io/hc/en-us/articles/10146704933405Vendor Advisory
- https://weizman.github.io/2023/04/10/snyk-xss/ExploitThird Party Advisory
FAQ
What is CVE-2023-1767?
CVE-2023-1767 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The Snyk Advisor website (https://snyk.io/advisor/) was vulnerable to a stored XSS prior to 28th March 2023. A feature of Snyk Advisor is to display the contents of a scanned package's Readme on its p...
How severe is CVE-2023-1767?
CVE-2023-1767 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-1767?
Check the references section above for vendor advisories and patch information. Affected products include: Snyk Advisor.