Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
WS-2016-0034
Good to know:
Date: January 13, 2016
Swagger-ui has vulnerability when "Produces" and "consumes" Content-types in schema are not escaped and allow XSS
Language: JS
Severity Score
Severity Score
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79Top Fix
Upgrade Version
Upgrade to version kbrabrand/silex-swagger-ui - no_fix;ramzyvirani/laravel-boilerplate - dev-snyk-fix-ad10bb3d08f682b4190aefeb23a5c3d5;ramzyvirani/laravel-boilerplate - no_fix;ramzyvirani/laravel-boilerplate - dev-snyk-fix-6118335e7ee4db4dc6929725f8b9be70;dreamfactory/app-admin - no_fix;dreamfactory/app-admin - 1.0.4;riverslei/laravel-swagger - no_fix;juzaweb/l5-swagger - 3.2;juzaweb/l5-swagger - 3.x-dev;dennis1804/iq-swagger - no_fix;dennis1804/iq-swagger - dev-dependabot/composer/illuminate/support-approx-8.16;sergeyfast/eazy-jsonrpc - no_fix;sergeyfast/eazy-jsonrpc - v1.0;alexmaramaldo/swaggervel-2 - no_fix;dandisy/webcore - 1.0.6;dandisy/webcore - no_fix;dandisy/webcore - 1.0.0;visiosoft/l5-swagger - 3.x-dev;ci-blox/ignition-go - 1.0.0-beta.1;ci-blox/ignition-go - no_fix;libgraviton/swagger-ui - v1.0;digitalunited/wp-elastic-api - v0.1.2;digitalunited/wp-elastic-api - v0.1.3;digitalunited/wp-elastic-api - v0.1.4;digitalunited/wp-elastic-api - v0.1;dolibarr/dolibarr - 9.0.0;firdaushatta/l5-swagger - 3.2;firdaushatta/l5-swagger - 3.x-dev;ServiceStack.Api.Swagger - 4.0.8;ServiceStack.Api.Swagger - 4.0.35;smskin/l5-swagger - 3.x-dev;smskin/l5-swagger - 3.2;fxmonster/l5-swagger - 3.2;fxmonster/l5-swagger - 3.x-dev;ernestoponce/slimproject - no_fix;davigs/swagger-lume - 2.0;rich2k/l5-swagger - 3.2;rich2k/l5-swagger - 3.x-dev;hasangilak/l5-swagger - 3.x-dev;hasangilak/l5-swagger - 3.2;restler/framework - 5.0.6;restler/framework - 3.0.0-RC1;restler/framework - 5.07;restler/framework - 4.0.0;ServiceStack.Api.Swagger.Signed - 4.0.35;damian-nz/l5-swagger - 3.2;damian-nz/l5-swagger - dev-master;damian-nz/l5-swagger - 2.0.x-dev;dandisy/laravel-generator - 1.2.7;dandisy/laravel-generator - 1.0.0;dandisy/laravel-generator - dev-dependabot/npm_and_yarn/templates/vuejs/js/eslint-4.19.1;steamuloabeaujou/api-platform - v2.0.0-rc.1;Odn.Swagger.Net - no_fix;api-platform/core - v2.0.0-rc.1;kizi/easyminer-easyminercenter - v2.0;kizi/easyminer-easyminercenter - no_fix;jlapp/swaggervel - 1.0.x-dev;JYM.IdentityServer.Swagger - no_fix;dandisy/adminlte-templates - 1.2.2;yaangvu/swagger-lume - 2.0;imjarek/laravel-swagger - 3.x-dev;imjarek/laravel-swagger - 3.2;zfcampus/zf-apigility-documentation-swagger - dev-master;zfcampus/zf-apigility-documentation-swagger - 1.3.0;helingfeng/l5-swagger - 3.x-dev;helingfeng/l5-swagger - 3.2;dandisy/webcore-base - no_fix;dandisy/webcore-base - 1.0.0;vsmoraes/swagger-ui-bundle - dev-nelmio_integration;vsmoraes/swagger-ui-bundle - no_fix;hos/hos-framework - no_fix;pleio/pleio_rest - no_fix;keeko/developer-app - v0.2;OpenRastaSwagger - 1.0.3.21;mahmoodbabaei/etribes-code-challenge - no_fix;jjdoor/swagger-lume - 2.0;vjeantet/silex-simple-rest-swagger - no_fix;luracast/restler - 5.0.6;luracast/restler - 5.07;luracast/restler - 4.0.0;luracast/restler - 1.0.20;luracast/restler - 2.2.0;pmvc-app/swagger_ui - no_fix;iwanli/laravel5-swagger - no_fix;folksyfolks/l5-swagger - 3.1.4;sjje/swaggervel - dev-master;hadeswang/jlapp-swaggervel - 1.0.x-dev;swagger-ui - 2.1.5;swagger-ui - 2.0.3;cr3a7ure/core - 2.1.x-dev;mymdz/l5-swagger - 3.x-dev;mymdz/l5-swagger - 3.2;fmarmo/swagger-lume - 2.0;NServiceKit.Api.Swagger - no_fix;jinsoft/laravel-swagger - no_fix;rodchyn/api-platform-core - v2.0.0-rc.1;luoxiaojun1992/sf - v1.0.0;activelamp/swagger-ui-bundle - dev-nelmio_integration;bluzphp/skeleton - 2.0.2;pharmit/swaggervel - 1.0.x-dev;jessekoska/swagger-lume - v2.0.24;laminas-api-tools/api-tools-documentation-swagger - 1.3.0;org.webjars:swagger-ui:2.1.5;org.webjars.npm:swagger-tools:0.9.16;org.jboss.redhat-fuse.apicurio:fuse-apicurito-generator:no_fix;org.jboss.redhat-fuse.apicurio:fuse-apicurito-generator:no_fix;org.jboss.redhat-fuse.apicurio:fuse-apicurito-generator:no_fix;org.jboss.redhat-fuse.apicurio:fuse-apicurito-generator:no_fix;org.jboss.redhat-fuse.apicurio:fuse-apicurito-generator:no_fix;org.apache.camel:camel-example-swagger-xml:2.17.1;org.apache.camel:camel-example-swagger-xml:2.17.1;org.apache.camel:camel-example-swagger-xml:2.17.1;org.apache.camel:camel-example-swagger-xml:2.17.1;org.apache.camel:camel-example-servlet-rest-tomcat:2.15.1;org.apache.camel:camel-example-servlet-rest-tomcat:2.15.2;org.apache.camel:camel-example-servlet-rest-tomcat:2.15.2;org.apache.camel:camel-example-servlet-rest-tomcat:2.15.2;org.apache.camel:camel-example-servlet-rest-tomcat:2.15.2;org.apache.camel:camel-example-servlet-rest-tomcat:2.15.2;org.webjars.npm:swagger-ui:2.1.5;io.fabric8.quickstarts.cxf.jaxrs:spring-boot-cxf-jaxrs-xml:no_fix
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | NONE |
| Integrity (I): | NONE |
| Availability (A): | HIGH |