Package Instance

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Swagger-UI before 2.2.1 has XSS via the Default field in the Definitions section.

XSS in Consumes/Produces Parameter
Swagger is a standardized library for documenting API endpoints and their parameters.  Swagger uses a JSON document to organize API endpoint parameter data.

Swagger-UI version 2.1.4 contains a cross site scripting (XSS) vulnerability in the `consumes` and `produces` parameters of the swagger json document for a given API.  A maliciously crafted swagger JSON doc can be loaded via the URL query-string parameter `url`.

 To exploit the vulnerability, an attacker would convince a user to visit a malicious url crafted in the following format:
 ```
http://<USER_HOSTNAME>/swagger-ui/index.html?url=http://<MALICIOUS_HOSTNAME>/malicious-swagger-file.json
````

This issue is being disclosed before a public patched release is available due to the issue being made public in a Github issue.

Injection Vulnerability
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that `<style>@import` within the JSON data was a functional attack method.

Reverse Tabnapping in swagger-ui
Versions of `swagger-ui` prior to 3.18.0 are vulnerable to [Reverse Tabnapping](https://www.owasp.org/index.php/Reverse_Tabnabbing). The package uses `target='_blank'` in anchor tags, allowing attackers to access `window.opener` for the original page. This is commonly used for phishing attacks.


## Recommendation

Upgrade to version 3.18.0 or later.

Cross-Site Scripting in swagger-ui
Affected versions of `swagger-ui` are vulnerable to cross-site scripting via the `url` query string parameter.


## Recommendation

Update to 2.2.1 or later.

XSS in Consumes/Produces Parameter
Swagger-UI contains a cross site scripting (XSS) vulnerability in the `consumes` and `produces` parameters of the swagger JSON document for a given API. A maliciously crafted swagger JSON doc can be loaded via the URL query-string parameter `url`.

XSS via Content-type header
By using a malicious server which returns script as the value of the Content-Type header, it is possible to execute arbitrary code using the demonstration capabilities of Swagger-UI.

XSS via Content-type header
By using a malicious server which returns script as the value of the Content-Type header, it is possible to execute arbitrary code using the demonstration capabilities of Swagger-UI.

XSS in key names
Swagger-ui contains a cross site scripting (XSS) vulnerability in the key names for the following object path in the JSON document: `.definitions.{USER_DEFINED}.properties.{INJECTABLE_KEY_NAME}`. Supplying a key name with script tags causes arbitrary code execution. In addition it is possible to load the arbitrary JSON files remotely via the `URL` query-string parameter.