Miggo Logo
Miggo Vulnerability Database
CVE-2023-0493

CVE-2023-0493: Withdrawn Advisory: HTML injections in BTCPayServer

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-0493
GHSA ID
GHSA-33gv-rvgq-gpxp
EPSS Score
0.7717%
CWE
CWE-74
Published
1/27/2023
Updated
11/1/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
BTCPayServer.Clientnuget< 1.7.51.7.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing HTML encoding of user-controlled input in multiple controller actions and views. The GitHub commit shows systematic addition of Html.Encode() to variables like app names, email addresses, and API key labels that were previously rendered raw in confirmation dialogs and UI elements. These locations directly injected user input into HTML contexts without proper neutralization, enabling HTML injection attacks. The high confidence comes from the direct correlation between the patched locations and the vulnerability description about improper neutralization of special elements.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Wit**r*wn **visory T*is **visory **s ***n wit**r*wn ****us* *ll o* t** *il*s *****t** *y t*is vuln*r**ility li* in t** [*T*P*yS*rv*r *ol**r](*ttps://*it*u*.*om/*t*p*ys*rv*r/*t*p*ys*rv*r/tr**/m*st*r/*T*P*yS*rv*r), w*i** is not in t** Nu**t **osyst*

Reasoning

T** vuln*r**ility st*ms *rom missin* *TML *n*o*in* o* us*r-*ontroll** input in multipl* *ontroll*r **tions *n* vi*ws. T** *it*u* *ommit s*ows syst*m*ti* ***ition o* *tml.*n*o**() to v*ri**l*s lik* *pp n*m*s, *m*il ***r*ss*s, *n* *PI k*y l***ls t**t w