8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-0493

GHSA ID

GHSA-33gv-rvgq-gpxp

EPSS Score

0.7717%

CWE

CWE-74

Published

1/27/2023

Updated

11/1/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-0493

CVE-2023-0493: Withdrawn Advisory: HTML injections in BTCPayServer

Withdrawn Advisory

This advisory has been withdrawn because all of the files affected by this vulnerability lie in the BTCPayServer folder, which is not in the NuGet ecosystem. The BTCPayServer folder, corresponding to the BTCPayServer NuGet entry, does not contain any files that were changed to fix the vulnerability.

Original Description

Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.7.5.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-0493

CVE-2023-0493:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-0493

GHSA ID

GHSA-33gv-rvgq-gpxp

EPSS Score

0.7717%

CWE

CWE-74

Published

1/27/2023

Updated

11/1/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
BTCPayServer.Client	nuget	< 1.7.5	1.7.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing HTML encoding of user-controlled input in multiple controller actions and views. The GitHub commit shows systematic addition of Html.Encode() to variables like app names, email addresses, and API key labels that were previously rendered raw in confirmation dialogs and UI elements. These locations directly injected user input into HTML contexts without proper neutralization, enabling HTML injection attacks. The high confidence comes from the direct correlation between the patched locations and the vulnerability description about improper neutralization of special elements.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-0493: Withdrawn Advisory: HTML injections in BTCPayServer

Withdrawn Advisory

Original Description

CVE-2023-0493:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

8.8

8.8

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-0493: Withdrawn Advisory: HTML injections in BTCPayServer

Withdrawn Advisory

Original Description

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI