CVE-2016-1000233

Description

Affected versions of `swagger-ui` are vulnerable to cross-site scripting. This vulnerability exists because `swagger-ui` automatically executes external Javascript that is loaded in via the `url` query string parameter when a `Content-Type: application/javascript` header is included. An attacker can create a server that replies with a malicious script and the proper content-type, and then craft a `swagger-ui` URL that includes the location to their server/script in the `url` query string parameter. When viewed, such a link would execute the attacker's malicious script. ## Recommendation Update to 2.2.1 or later.

Affected packages (1)

• npm/swagger-uifrom 0, < 2.2.1

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-1000233
• WEBhttps://github.com/swagger-api/swagger-ui
• WEBhttps://github.com/swagger-api/swagger-ui/commit/331d2be070d89162aa3174a8773ae4a0093f78bc
• WEBhttps://github.com/swagger-api/swagger-ui/issues/1863
• WEBhttps://www.npmjs.com/advisories/131