Snyk was notified by security researcher Gal Weizman of a medium severity vulnerability (CVE-2023-1767) affecting the Snyk Advisor website (https://snyk.io/advisor/). Snyk became aware of the vulnerability on March 27, 2023, and took immediate action to reproduce and mitigate this vulnerability, and at 18:55 UTC on March 27th, 2023, released updates to Snyk Advisor to resolve the issue.
The Snyk Advisor website was vulnerable to a stored XSS before March 28, 2023. A feature of Snyk Advisor is to display the contents of a scanned package's Readme on its package health page. An attacker could create a package with an associated markdown README file containing cross-site scriptable (XSS) HTML. Upon Snyk Advisor importing the package, the XSS would run each time an end user browsed that package's page on Snyk Advisor.
Recommended actions
After a thorough investigation of the underlying database we could not find evidence of any historic malicious exploit of this vulnerability. Note that Snyk Advisor does not use any individual customer data, so no customer data was at risk. At this stage, we are not recommending that Snyk Advisor users take any further action. We will issue further updates and guidance should any actions become known.
Snyk Open Source and the rest of the Snyk platform were not impacted by this issue, and customers using Snyk Open Source will be alerted to any malicious package that we are aware of in projects monitored or tested by Snyk. IDE plugins that leverage underlying Snyk Advisor data do not transmit markdown or HTML data and thus are not impacted.
If you have been using Snyk Advisor and are not testing your projects with Snyk, you can start testing your projects using the free Snyk plan.