Lucene search

[email protected]NVD:CVE-2023-27494

HistoryMar 16, 2023 - 9:15 p.m.

CVE-2023-27494

2023-03-1621:15:13

CWE-79

[email protected]

web.nvd.nist.gov

streamlit

xss vulnerability

crafted urls

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

33.1%

JSON

Streamlit, software for turning data scripts into web applications, had a cross-site scripting (XSS) vulnerability in versions 0.63.0 through 0.80.0. Users of hosted Streamlit app(s) were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to a Streamlit app. The attacker could then trick the user into visiting the malicious URL and, if successful, the server would render the malicious javascript payload as-is, leading to XSS. Version 0.81.0 contains a patch for this vulnerability.

Affected configurations

Nvd

Node

snowflakestreamlitRange0.63.0–0.81.0

VendorProductVersionCPE
snowflakestreamlit*cpe:2.3:a:snowflake:streamlit:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
snowflake	streamlit	*	cpe:2.3:a:snowflake:streamlit::::::::

References

github.com/streamlit/streamlit/commit/afcf880c60e5d7538936cc2d9721b9e1bc02b075

github.com/streamlit/streamlit/security/advisories/GHSA-9c6g-qpgj-rvxw

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

33.1%

JSON

Related for NVD:CVE-2023-27494

veracode1 osv3 cve1 cvelist1 github1 prion1