Cross-Site Scripting in swagger-ui - swagger-ui

Severity:: High

Description

Affected versions of swagger-ui are vulnerable to cross-site scripting. This vulnerability exists because swagger-ui automatically executes external Javascript that is loaded in via the url query string parameter when a Content-Type: application/javascript header is included.

Recommendation

Update the swagger-ui package to the latest compatible version. Followings are version details:

Affected version(s): < 2.2.1
Patched version(s): 2.2.1

References

GHSA-mrx7-8hxf-f853
www.npmjs.com
CVE-2016-1000233
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Cross-Site Scripting in swagger-ui - swagger-ui - GHSA-7f59-x49p-v8mq - CVE-2016-1000226
Cross-Site Scripting in swagger-ui - swagger-ui - GHSA-p239-93f7-h6xf - CVE-2016-5682
Cross-site scripting in Swagger-UI - CVE-2019-17495
Cross-Site Scripting in swagger-ui - swagger-ui - GHSA-22q9-hqm5-mhmc - Vulnerability

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; swagger-ui

Anything's wrong? Let us know Last updated on October 10, 2023