Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-1767 PoC — Snyk Advisor 跨站脚本漏洞

Source
https://github.com/weizman/CVE-2023-1767
Associated Vulnerability
Title:Snyk Advisor 跨站脚本漏洞 (CVE-2023-1767)
Description:The Snyk Advisor website (https://snyk.io/advisor/) was vulnerable to a stored XSS prior to 28th March 2023. A feature of Snyk Advisor is to display the contents of a scanned package's Readme on its package health page. An attacker could create a package in NPM with an associated markdown README file containing XSS-able HTML tags. Upon Snyk Advisor importing the package, the XSS would run each time an end user browsed to the package's page on Snyk Advisor.
Readme
# Stored XSS `snyk.io` Discovery (19/03/23)

## [CVE-2023-1767](https://nvd.nist.gov/vuln/detail/CVE-2023-1767)

## [Responsible Vulnerability Disclosure Report](./report/)

## [Vulnerability blog post coverage](https://weizman.github.io/2023/04/10/snyk-xss/)

## [Exploit PoC](./demo/)
File Snapshot

 [4.0K]  /data/pocs/3b076060f6137a730a408d7ad3b8503905ccc527
├── [4.0K]  demo
│   ├── [4.0K]  png2jpg
│   │   ├── [  45]  index.js
│   │   ├── [ 373]  package.json
│   │   └── [ 467]  README.md
│   └── [ 81K]  README.md
├── [ 287]  README.md
└── [4.0K]  report
    ├── [4.4K]  README.md
    └── [173K]  snyk-io-advisor-npm-package-png2jpg.html

3 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →