Описание
Cross-Site Scripting in swagger-ui
Affected versions of swagger-ui contain a cross-site scripting vulnerability in the key names of a specific nested object in the JSON document.
Proof of Concept
The vulnerable object structure is:
{
"definitions": {
"arbitraryVal": {
"properties": {
"<INJECTABLE_KEY_NAME>": "LoremIpsum"
}
}
}
}
Malicious JSON documents can be loaded in by providing a URL to them in the url query string parameter.
Recommendation
Update to version 2.2.1 or later.
Пакеты
Наименование
swagger-ui
npm
Затронутые версииВерсия исправления
<= 2.2.0
2.2.1
Связанные уязвимости
CVSS3: 5.4
redhat
больше 9 лет назад
Swagger-UI before 2.2.1 has XSS via the Default field in the Definitions section.
CVSS3: 6.1
nvd
почти 9 лет назад
Swagger-UI before 2.2.1 has XSS via the Default field in the Definitions section.
CVSS3: 6.1
debian
почти 9 лет назад
Swagger-UI before 2.2.1 has XSS via the Default field in the Definitio ...