Skip to content

Cross-Site Scripting in swagger-ui

moderate severity Published Sep 11, 2020 • Updated Sep 28, 2021

Package

npm swagger-ui (npm)

Affected versions

< 3.20.9

Patched versions

3.20.9

Description

Versions of swagger-ui prior to 3.20.9 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript.

Recommendation

Upgrade to version 3.20.9 or later.

References

GHSA ID

GHSA-4f9m-pxwh-68hg

CVSS Score

6.5 Moderate
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N