{"id":"PYSEC-2023-50","details":"Streamlit, software for turning data scripts into web applications, had a cross-site scripting (XSS) vulnerability in versions 0.63.0 through 0.80.0. Users of hosted Streamlit app(s) were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to a Streamlit app. The attacker could then trick the user into visiting the malicious URL and, if successful, the server would render the malicious javascript payload as-is, leading to XSS. Version 0.81.0 contains a patch for this vulnerability.","aliases":["CVE-2023-27494","GHSA-9c6g-qpgj-rvxw"],"modified":"2023-11-08T04:12:05.345176Z","published":"2023-03-16T21:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/streamlit/streamlit/security/advisories/GHSA-9c6g-qpgj-rvxw"},{"type":"FIX","url":"https://github.com/streamlit/streamlit/commit/afcf880c60e5d7538936cc2d9721b9e1bc02b075"}],"affected":[{"package":{"name":"streamlit","ecosystem":"PyPI","purl":"pkg:pypi/streamlit"},"ranges":[{"type":"GIT","repo":"https://github.com/streamlit/streamlit","events":[{"introduced":"0"},{"fixed":"afcf880c60e5d7538936cc2d9721b9e1bc02b075"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0.63.0"},{"fixed":"0.81.0"}]}],"versions":["0.63.0","0.63.1","0.64.0","0.65.0","0.65.1","0.65.2","0.66.0","0.67.0","0.67.1","0.68.0","0.68.1","0.69.0","0.69.1","0.69.2","0.70.0","0.71.0","0.72.0","0.73.0","0.73.1","0.74.0","0.74.1","0.75.0","0.76.0","0.77.0","0.78.0","0.79.0","0.80.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/streamlit/PYSEC-2023-50.yaml"}}],"schema_version":"1.7.3"}