npm package
swagger-ui
pkg:npm/swagger-ui
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-25031 | — | < 4.1.3 | 4.1.3 | Mar 11, 2022 | Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. How | ||
| CVE-2016-1000233 | hig | — | < 2.2.1 | 2.2.1 | Sep 1, 2020 | Affected versions of `swagger-ui` are vulnerable to cross-site scripting. This vulnerability exists because `swagger-ui` automatically executes external Javascript that is loaded in via the `url` query string parameter when a `Content-Type: application/javascript` header is inclu | |
| CVE-2016-1000226 | cri | — | < 2.2.1 | 2.2.1 | Sep 1, 2020 | Affected versions of `swagger-ui` are vulnerable to cross-site scripting in both the `consumes` and `produces` parameters of the swagger JSON document for a given API. Additionally, `swagger-ui` allows users to load arbitrary swagger JSON documents via the query string parameter | |
| CVE-2016-1000229 | — | < 2.2.1 | 2.2.1 | Dec 20, 2019 | swagger-ui has XSS in key names | ||
| CVE-2019-17495 | — | < 3.23.11 | 3.23.11 | Oct 10, 2019 | A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product in | ||
| CVE-2016-5682 | Med | 6.1 | < 2.2.1 | 2.2.1 | Apr 10, 2017 | Swagger-UI before 2.2.1 has XSS via the Default field in the Definitions section. |
- CVE-2018-25031Mar 11, 2022affected < 4.1.3fixed 4.1.3
Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. How
- affected < 2.2.1fixed 2.2.1
Affected versions of `swagger-ui` are vulnerable to cross-site scripting. This vulnerability exists because `swagger-ui` automatically executes external Javascript that is loaded in via the `url` query string parameter when a `Content-Type: application/javascript` header is inclu
- affected < 2.2.1fixed 2.2.1
Affected versions of `swagger-ui` are vulnerable to cross-site scripting in both the `consumes` and `produces` parameters of the swagger JSON document for a given API. Additionally, `swagger-ui` allows users to load arbitrary swagger JSON documents via the query string parameter
- CVE-2016-1000229Dec 20, 2019affected < 2.2.1fixed 2.2.1
swagger-ui has XSS in key names
- CVE-2019-17495Oct 10, 2019affected < 3.23.11fixed 3.23.11
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product in
- affected < 2.2.1fixed 2.2.1
Swagger-UI before 2.2.1 has XSS via the Default field in the Definitions section.