Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

WS-2019-0172

Good to know:

icon
icon

Date: February 23, 2019

swagger-ui before 3.20.9 fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript. that leads to Cross-Site Scripting

Language: Java

Severity Score

Related Resources (3)

https://github.com/swagger-api/swagger-ui/pull/5190
https://github.com/swagger-api/swagger-ui/commit/4e58a06b8b505bf72194f9d6d220f9e7d9289621
https://www.mend.io/vulnerability-database/WS-2019-0172

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

icon

Upgrade Version

Upgrade to version swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/dompurify-3.0.8;swagger-api/swagger-ui - dev-fix/xml-oneOf;swagger-api/swagger-ui - dev-fix-null-value-parsing;swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/babel/runtime-corejs3-7.22.3;swagger-api/swagger-ui - dev-facelift;swagger-api/swagger-ui - 3.3.1;swagger-api/swagger-ui - v3.20.9;swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/mocha-9.0.2;swagger-api/swagger-ui - v/3.18.0;swagger-api/swagger-ui - dev-issue-5148;esandri/swagger-ui-big - no_fix;esandri/swagger-ui-big - v2.0.0;esandri/swagger-ui-big - v1.0;esandri/swagger-ui-big - v3.0.0;swagger-ui - 3.20.9;swagger-ui - 3.20.9;westhack/think-swagger - 1.0.0;westhack/think-swagger - no_fix;dreamfactory/df-swagger-ui - 0.2.0;dreamfactory/df-swagger-ui - 3.3.1;dreamfactory/df-swagger-ui - v1.0;dreamfactory/df-swagger-ui - dev-hotfix/firefox-issue-df624;zhaojunlike/think-swagger - 1.0.0;kevupton/auto-swagger-ui - no_fix;kevupton/auto-swagger-ui - v0.0.1;org.webjars.bower:swagger-ui:3.2.1;org.webjars.bower:swagger-ui:3.0.16;org.webjars.bower:swagger-ui:3.0.5;org.webjars.bower:swagger-ui:3.0.10;org.webjars.bower:swagger-ui:3.22.2;org.webjars.npm:github-com-haraldrudell-react-swagger-ui:no_fix;org.webjars.npm:github-com-swagger-api-swagger-ui:3.15.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us