You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Mend has checked all newer package trees, and you are on the least vulnerable package!
Please note: There might be a version that explicitly solves one or more of the vulnerabilities listed below, but we do not recommend it. For more info about the optional fixes, check the section “Details” below.
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
swagger-ui before 3.20.9 fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript. that leads to Cross-Site Scripting
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
swagger-ui versions before 3.0.13 are vulnerable to XSS when it fails to sanitize YAML files imported from URLs or copied-pasted. This may allow attackers to execute arbitrary JavaScript.
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
swagger-ui before 3.18.0 has Reverse Tabnapping vulnerability. using target='_blank' in anchor tags, allowing attackers to access window.opener for the original page.
mend-for-github-combot
changed the title
swagger-ui-2.2.10.tgz: 5 vulnerabilities (highest severity is: 9.8)
swagger-ui-2.2.10.tgz: 5 vulnerabilities (highest severity is: 9.8) - autoclosed
Mar 13, 2023
mend-for-github-combot
changed the title
swagger-ui-2.2.10.tgz: 5 vulnerabilities (highest severity is: 9.8)
swagger-ui-2.2.10.tgz: 5 vulnerabilities (highest severity is: 9.8) - autoclosed
Mar 13, 2023
Vulnerable Library - swagger-ui-2.2.10.tgz
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-2.2.10.tgz
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Mend has checked all newer package trees, and you are on the least vulnerable package!
Please note: There might be a version that explicitly solves one or more of the vulnerabilities listed below, but we do not recommend it. For more info about the optional fixes, check the section “Details” below.
Vulnerabilities
Details
CVE-2019-17495
Vulnerable Library - swagger-ui-2.2.10.tgz
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-2.2.10.tgz
Dependency Hierarchy:
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Found in base branch: main
Vulnerability Details
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.
Publish Date: 2019-10-10
URL: CVE-2019-17495
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-c427-hjc3-wrfw
Release Date: 2019-10-10
Fix Resolution: swagger-ui - 3.23.11
WS-2019-0172
Vulnerable Library - swagger-ui-2.2.10.tgz
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-2.2.10.tgz
Dependency Hierarchy:
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Found in base branch: main
Vulnerability Details
swagger-ui before 3.20.9 fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript. that leads to Cross-Site Scripting
Publish Date: 2019-02-23
URL: WS-2019-0172
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/976
Release Date: 2019-02-23
Fix Resolution: 3.20.9
WS-2019-0236
Vulnerable Library - swagger-ui-2.2.10.tgz
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-2.2.10.tgz
Dependency Hierarchy:
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Found in base branch: main
Vulnerability Details
swagger-ui versions before 3.0.13 are vulnerable to XSS when it fails to sanitize YAML files imported from URLs or copied-pasted. This may allow attackers to execute arbitrary JavaScript.
Publish Date: 2017-06-02
URL: WS-2019-0236
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/985
Release Date: 2017-06-02
Fix Resolution: 3.0.13
CVE-2018-25031
Vulnerable Library - swagger-ui-2.2.10.tgz
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-2.2.10.tgz
Dependency Hierarchy:
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Found in base branch: main
Vulnerability Details
Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
Publish Date: 2022-03-11
URL: CVE-2018-25031
CVSS 3 Score Details (4.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-qrmm-w75w-3wpx
Release Date: 2022-03-11
Fix Resolution: swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3
WS-2019-0171
Vulnerable Library - swagger-ui-2.2.10.tgz
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-2.2.10.tgz
Dependency Hierarchy:
Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f
Found in base branch: main
Vulnerability Details
swagger-ui before 3.18.0 has Reverse Tabnapping vulnerability. using target='_blank' in anchor tags, allowing attackers to access window.opener for the original page.
Publish Date: 2018-08-02
URL: WS-2019-0171
CVSS 3 Score Details (4.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/975
Release Date: 2018-08-02
Fix Resolution: 3.18.0
The text was updated successfully, but these errors were encountered: