Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nodejsJoe VennixNODEJS:126
HistoryJul 21, 2016 - 5:01 p.m.

Cross-Site Scripting

2016-07-2117:01:35
Joe Vennix
www.npmjs.com
25

EPSS

0.001

Percentile

34.6%

JSON

Overview

Affected versions of swagger-ui contain a cross-site scripting vulnerability in the key names of a specific nested object in the JSON document.

Proof of Concept

The vulnerable object structure is:

{
    "definitions": {
        "arbitraryVal": {
            "properties": {
                "<INJECTABLE_KEY_NAME>": "LoremIpsum"
                }
            }
        }
}

Malicious JSON documents can be loaded in by providing a URL to them in the url query string parameter.

Recommendation

Update to version 2.2.1 or later.

References

Related

hackerone 1
redhatcve 1
cvelist 1
github 1
osv 2
prion 1
nvd 1
cve 1
ibm 1
hackerone
hackerone
U.S. Dept Of Defense: Reflected XSS at ████████
2023-01-13 14:46:59
redhatcve
redhatcve
CVE-2016-5682
2017-04-19 13:18:19
cvelist
cvelist
CVE-2016-5682
2017-04-10 03:00:00
github
github
Cross-Site Scripting in swagger-ui
2020-09-01 15:30:58
osv
osv
CVE-2016-5682
2017-04-10 03:59:02
Cross-Site Scripting in swagger-ui
2020-09-01 15:30:58
prion
prion
Design/Logic Flaw
2017-04-10 03:59:00
nvd
nvd
CVE-2016-5682
2017-04-10 03:59:02
cve
cve
CVE-2016-5682
2017-04-10 03:59:02
ibm
ibm
Security Bulletin: IBM Planning Analytics Workspace is affected by vulnerabilties
2023-01-27 20:06:13

EPSS

0.001

Percentile

34.6%

JSON
Related for NODEJS:126
hackerone1redhatcve1cvelist1github1osv2prion1nvd1cve1ibm1