Description
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value.
Recommendation
Update the swagger-ui package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.23.11
- Patched version(s): 3.23.11
References
- GHSA-c427-hjc3-wrfw
- www.oracle.com
- lists.apache.org
- security.snyk.io
- CVE-2019-17495
- CWE-352
- CWE-79
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Cross-Site Scripting in html-pages - CVE-2018-16481
- DOMpurify has a nesting-based mXSS - CVE-2024-47875
- Cross-Site Scripting in swagger-ui (GHSA-mrx7-8hxf-f853) - CVE-2016-1000233
- Cross-Site Scripting in swagger-ui (GHSA-4f9m-pxwh-68hg) - Vulnerability
- Tags:
- npm
- swagger-ui
Anything's wrong? Let us know Last updated on August 26, 2024