Cross-Site Scripting in swagger-ui
Description
Affected versions of swagger-ui are vulnerable to cross-site scripting. This vulnerability exists because swagger-ui automatically executes external Javascript that is loaded in via the url query string parameter when a Content-Type: application/javascript header is included.
An attacker can create a server that replies with a malicious script and the proper content-type, and then craft a swagger-ui URL that includes the location to their server/script in the url query string parameter. When viewed, such a link would execute the attacker's malicious script.
Recommendation
Update to 2.2.1 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
swagger-uinpm | < 2.2.1 | 2.2.1 |
Affected products
2- Range: < 2.2.1
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.