Vulnerability Details CVE-2023-27494
Streamlit, software for turning data scripts into web applications, had a cross-site scripting (XSS) vulnerability in versions 0.63.0 through 0.80.0. Users of hosted Streamlit app(s) were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to a Streamlit app. The attacker could then trick the user into visiting the malicious URL and, if successful, the server would render the malicious javascript payload as-is, leading to XSS. Version 0.81.0 contains a patch for this vulnerability.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 64.8%
CVSS Severity
CVSS v3 Score 5.9
References
- https://github.com/streamlit/streamlit/commit/afcf880c60e5d7538936cc2d9721b9e1bc02b075
- https://github.com/streamlit/streamlit/security/advisories/GHSA-9c6g-qpgj-rvxw
- https://github.com/streamlit/streamlit/commit/afcf880c60e5d7538936cc2d9721b9e1bc02b075
- https://github.com/streamlit/streamlit/security/advisories/GHSA-9c6g-qpgj-rvxw
Products affected by CVE-2023-27494
-
cpe:2.3:a:snowflake:streamlit:0.63.0
-
cpe:2.3:a:snowflake:streamlit:0.63.1
-
cpe:2.3:a:snowflake:streamlit:0.63.2
-
cpe:2.3:a:snowflake:streamlit:0.64.0
-
cpe:2.3:a:snowflake:streamlit:0.64.1
-
cpe:2.3:a:snowflake:streamlit:0.65.0
-
cpe:2.3:a:snowflake:streamlit:0.65.1
-
cpe:2.3:a:snowflake:streamlit:0.65.2
-
cpe:2.3:a:snowflake:streamlit:0.65.3
-
cpe:2.3:a:snowflake:streamlit:0.66.0
-
cpe:2.3:a:snowflake:streamlit:0.66.1
-
cpe:2.3:a:snowflake:streamlit:0.67.0
-
cpe:2.3:a:snowflake:streamlit:0.67.1
-
cpe:2.3:a:snowflake:streamlit:0.67.2
-
cpe:2.3:a:snowflake:streamlit:0.68.0
-
cpe:2.3:a:snowflake:streamlit:0.68.1
-
cpe:2.3:a:snowflake:streamlit:0.68.2
-
cpe:2.3:a:snowflake:streamlit:0.69.0
-
cpe:2.3:a:snowflake:streamlit:0.69.1
-
cpe:2.3:a:snowflake:streamlit:0.69.2
-
cpe:2.3:a:snowflake:streamlit:0.69.3
-
cpe:2.3:a:snowflake:streamlit:0.70.0
-
cpe:2.3:a:snowflake:streamlit:0.70.1
-
cpe:2.3:a:snowflake:streamlit:0.71.0
-
cpe:2.3:a:snowflake:streamlit:0.71.1
-
cpe:2.3:a:snowflake:streamlit:0.72.0
-
cpe:2.3:a:snowflake:streamlit:0.72.1
-
cpe:2.3:a:snowflake:streamlit:0.73.0
-
cpe:2.3:a:snowflake:streamlit:0.73.1
-
cpe:2.3:a:snowflake:streamlit:0.73.2
-
cpe:2.3:a:snowflake:streamlit:0.74.0
-
cpe:2.3:a:snowflake:streamlit:0.74.1
-
cpe:2.3:a:snowflake:streamlit:0.74.2
-
cpe:2.3:a:snowflake:streamlit:0.75.0
-
cpe:2.3:a:snowflake:streamlit:0.75.1
-
cpe:2.3:a:snowflake:streamlit:0.76.0
-
cpe:2.3:a:snowflake:streamlit:0.76.1
-
cpe:2.3:a:snowflake:streamlit:0.77.0
-
cpe:2.3:a:snowflake:streamlit:0.77.1
-
cpe:2.3:a:snowflake:streamlit:0.78.0
-
cpe:2.3:a:snowflake:streamlit:0.78.1
-
cpe:2.3:a:snowflake:streamlit:0.79.0
-
cpe:2.3:a:snowflake:streamlit:0.79.1
-
cpe:2.3:a:snowflake:streamlit:0.80.0
-
cpe:2.3:a:snowflake:streamlit:0.80.1
-
cpe:2.3:a:snowflake:streamlit:0.81