Описание
Cross-Site Scripting in swagger-ui
Versions of swagger-ui prior to 2.2.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to encode output in GET requests. The request is meant to respond with Content-Type application/json which does not trigger the vulnerability but if the web server changes the header to text/html it may allow attackers to execute arbitrary JavaScript.
Recommendation
Upgrade to version 2.2.1 or later.
Пакеты
Наименование
swagger-ui
npm
Затронутые версииВерсия исправления
< 2.2.1
2.2.1
Дефекты
CWE-79
Дефекты
CWE-79