PYSEC-2023-50

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/streamlit/PYSEC-2023-50.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2023-50

Aliases

Published

2023-03-16T21:15:00Z

Modified

2023-11-08T04:12:05.345176Z

Summary

[none]

Details

Streamlit, software for turning data scripts into web applications, had a cross-site scripting (XSS) vulnerability in versions 0.63.0 through 0.80.0. Users of hosted Streamlit app(s) were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to a Streamlit app. The attacker could then trick the user into visiting the malicious URL and, if successful, the server would render the malicious javascript payload as-is, leading to XSS. Version 0.81.0 contains a patch for this vulnerability.

References

Affected packages

PyPI / streamlit

Package

Name: streamlit; View open source insights on deps.dev
Purl: pkg:pypi/streamlit

Affected ranges

Type: GIT
Repo: https://github.com/streamlit/streamlit
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

afcf880c60e5d7538936cc2d9721b9e1bc02b075

Type: ECOSYSTEM
Events: Introduced

0.63.0

Fixed

0.81.0

Affected versions

0.*

0.63.0

0.63.1

0.64.0

0.65.0

0.65.1

0.65.2

0.66.0

0.67.0

0.67.1

0.68.0

0.68.1

0.69.0

0.69.1

0.69.2

0.70.0

0.71.0

0.72.0

0.73.0

0.73.1

0.74.0

0.74.1

0.75.0

0.76.0

0.77.0

0.78.0

0.79.0

0.80.0