GHSA-4f9m-pxwh-68hg

Опубликовано: 11 сент. 2020

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

Cross-Site Scripting in swagger-ui

Versions of swagger-ui prior to 3.20.9 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript.

Recommendation

Upgrade to version 3.20.9 or later.

Ссылки

https://github.com/swagger-api/swagger-ui/pull/5190
https://github.com/swagger-api/swagger-ui/commit/1e184e8e218676278c83e60a45846c199ce3d15e
https://snyk.io/vuln/SNYK-JS-SWAGGERUI-449921

Пакеты

Наименование

swagger-ui

npm

Затронутые версииВерсия исправления

< 3.20.9

3.20.9

6.5 Medium

CVSS3

Дефекты

CWE-79

6.5 Medium

CVSS3

Дефекты

CWE-79