Exploitation Summary
EIP tracks 1 public exploit for CVE-2023-1767. PoCs published by weizman.
AI-analyzed exploit summary This repository demonstrates a Stored XSS vulnerability (CVE-2023-1767) in Snyk's npm package advisor. The exploit leverages a malicious README.md file in a fake npm package to inject JavaScript payloads, which are improperly sanitized by Snyk's frontend.
Description
The Snyk Advisor website (https://snyk.io/advisor/) was vulnerable to a stored XSS prior to 28th March 2023. A feature of Snyk Advisor is to display the contents of a scanned package's Readme on its package health page. An attacker could create a package in NPM with an associated markdown README file containing XSS-able HTML tags. Upon Snyk Advisor importing the package, the XSS would run each time an end user browsed to the package's page on Snyk Advisor.
Exploits (1)
This repository demonstrates a Stored XSS vulnerability (CVE-2023-1767) in Snyk's npm package advisor. The exploit leverages a malicious README.md file in a fake npm package to inject JavaScript payloads, which are improperly sanitized by Snyk's frontend.
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N