CVE-2016-5682
EPSS 0.28%Cross-Site Scripting in swagger-ui
Published: 9/1/2020Modified: 11/8/2023
Description
Affected versions of `swagger-ui` contain a cross-site scripting vulnerability in the key names of a specific nested object in the JSON document. ## Proof of Concept The vulnerable object structure is: ``` { "definitions": { "arbitraryVal": { "properties": { "<INJECTABLE_KEY_NAME>": "LoremIpsum" } } } } ``` Malicious JSON documents can be loaded in by providing a URL to them in the `url` query string parameter. ## Recommendation Update to version 2.2.1 or later.
Affected packages (1)
- npm/swagger-uifrom 0, < 2.2.1
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-5682
- PATCHhttps://github.com/swagger-api/swagger-ui
- WEBhttps://community.rapid7.com/community/infosec/blog/2016/09/02/r7-2016-19-persistent-xss-via-unescaped-parameters-in-swagger-ui
- WEBhttps://github.com/swagger-api/swagger-ui/issues/1865
- WEBhttps://www.npmjs.com/advisories/126