Search for packages
| purl | pkg:npm/swagger-ui@2.1.0-M1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3hsn-22rw-7kay
Aliases: CVE-2016-5682 GHSA-p239-93f7-h6xf |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Swagger-UI before 2.2.1 has XSS via the Default field in the Definitions section. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-5918-w4jq-rka8
Aliases: CVE-2016-1000226 GHSA-7f59-x49p-v8mq GMS-2020-783 |
XSS in Consumes/Produces Parameter Swagger is a standardized library for documenting API endpoints and their parameters. Swagger uses a JSON document to organize API endpoint parameter data. Swagger-UI version 2.1.4 contains a cross site scripting (XSS) vulnerability in the `consumes` and `produces` parameters of the swagger json document for a given API. A maliciously crafted swagger JSON doc can be loaded via the URL query-string parameter `url`. To exploit the vulnerability, an attacker would convince a user to visit a malicious url crafted in the following format: ``` http://<USER_HOSTNAME>/swagger-ui/index.html?url=http://<MALICIOUS_HOSTNAME>/malicious-swagger-file.json ```` This issue is being disclosed before a public patched release is available due to the issue being made public in a Github issue. |
Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-6xjv-drz7-tbgc
Aliases: GMS-2016-59 |
XSS in URL Query String Parameter There's a cross site scripting (XSS) vulnerability in the `url` query string parameter. |
Affected by 12 other vulnerabilities. |
|
VCID-fc6y-84x3-8bgu
Aliases: GHSA-vp93-gcx5-4w52 GMS-2020-786 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-gdhu-jxfv-k7a9
Aliases: CVE-2019-17495 GHSA-c427-hjc3-wrfw |
Injection Vulnerability A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that `<style>@import` within the JSON data was a functional attack method. |
Affected by 0 other vulnerabilities. |
|
VCID-h64t-4k96-h7d4
Aliases: GHSA-x9p2-fxq6-2m5f GMS-2019-143 |
Reverse Tabnapping in swagger-ui Versions of `swagger-ui` prior to 3.18.0 are vulnerable to [Reverse Tabnapping](https://www.owasp.org/index.php/Reverse_Tabnabbing). The package uses `target='_blank'` in anchor tags, allowing attackers to access `window.opener` for the original page. This is commonly used for phishing attacks. ## Recommendation Upgrade to version 3.18.0 or later. |
Affected by 2 other vulnerabilities. |
|
VCID-hvuf-t6m7-fuhh
Aliases: GHSA-w992-2gmj-9xxj GMS-2020-787 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-mjr2-z5x4-e3bs
Aliases: GHSA-g336-c7wv-8hp3 GMS-2020-784 |
Cross-Site Scripting in swagger-ui Affected versions of `swagger-ui` are vulnerable to cross-site scripting via the `url` query string parameter. ## Recommendation Update to 2.2.1 or later. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-mpx5-7r4y-77a9
Aliases: GHSA-4f9m-pxwh-68hg GMS-2020-782 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui. |
Affected by 1 other vulnerability. |
|
VCID-r28p-re5d-uya7
Aliases: CVE-2016-1000233 GHSA-mrx7-8hxf-f853 GMS-2020-785 |
XSS via Content-type header By using a malicious server which returns script as the value of the Content-Type header, it is possible to execute arbitrary code using the demonstration capabilities of Swagger-UI. |
Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-uyf1-htgj-6bdp
Aliases: GMS-2016-45 |
XSS in key names Swagger-ui contains a cross site scripting (XSS) vulnerability in the key names for the following object path in the JSON document: `.definitions.{USER_DEFINED}.properties.{INJECTABLE_KEY_NAME}`. Supplying a key name with script tags causes arbitrary code execution. In addition it is possible to load the arbitrary JSON files remotely via the `URL` query-string parameter. |
Affected by 4 other vulnerabilities. |
|
VCID-wfzu-tsmb-nqf1
Aliases: GHSA-388g-jwpg-x6j4 GMS-2020-781 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui. |
Affected by 3 other vulnerabilities. |
|
VCID-ybf8-7h5c-3bbu
Aliases: CVE-2016-1000239 |
XSS in URL Query String Parameter In versions 2.1.0-M1 and 2.1.0-M2, swagger-ui has a cross site scripting (XSS) vulnerability in the `url` query string parameter. |
Affected by 12 other vulnerabilities. |
|
VCID-znja-a329-yyh9
Aliases: GHSA-22q9-hqm5-mhmc GMS-2020-780 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||