Affected versions of swagger-ui
contain a cross-site scripting vulnerability in the key names of a specific nested object in the JSON document.
The vulnerable object structure is:
{
"definitions": {
"arbitraryVal": {
"properties": {
"<INJECTABLE_KEY_NAME>": "LoremIpsum"
}
}
}
}
Malicious JSON documents can be loaded in by providing a URL to them in the url
query string parameter.
Update to version 2.2.1 or later.