Описание
swagger-ui has XSS in key names
It was found that swagger-ui contains a cross site scripting (XSS) vulnerability in the key names in the JSON document. An attacker could use this flaw to supply a key name with script tags which could cause arbitrary code execution. Additionally it is possible to load the arbitrary JSON files remotely via the URL query-string parameter.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Fuse 6 | hawtio-swagger-ui | Affected | ||
| Red Hat OpenShift Enterprise 2 | openshift-origin-cartridge-fuse | Affected | ||
| Red Hat JBoss A-MQ 6.3 | Fixed | RHSA-2017:0868 | 03.04.2017 | |
| Red Hat JBoss Fuse 6.3 | Fixed | RHSA-2017:0868 | 03.04.2017 |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=1360275swagger-ui: cross-site scripting in key names
EPSS
Процентиль: 89%
0.0485
Низкий
6.1 Medium
CVSS3
4.3 Medium
CVSS2
Связанные уязвимости
CVSS3: 6.1
github
больше 3 лет назад
Improper Neutralization of Input During Web Page Generation in swagger-ui
EPSS
Процентиль: 89%
0.0485
Низкий
6.1 Medium
CVSS3
4.3 Medium
CVSS2