CVE-2016-1000233 — Cross-Site Scripting in swagger-ui

Description

Affected versions of `swagger-ui` are vulnerable to cross-site scripting. This vulnerability exists because `swagger-ui` automatically executes external Javascript that is loaded in via the `url` query string parameter when a `Content-Type: application/javascript` header is included. An attacker can create a server that replies with a malicious script and the proper content-type, and then craft a `swagger-ui` URL that includes the location to their server/script in the `url` query string parameter. When viewed, such a link would execute the attacker's malicious script. ## Recommendation Update to 2.2.1 or later.

How to fix CVE-2016-1000233

To remediate CVE-2016-1000233, upgrade the affected package to a fixed version below.

—upgrade to 2.2.1 or later

Is CVE-2016-1000233 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2016-1000233.

Affected packages (1)

from 0, < 2.2.1

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-1000233
WEBgithub.com/swagger-api/swagger-ui
WEBgithub.com/swagger-api/swagger-ui/commit/331d2be070d89162aa3174a8773ae4a0093f78bc
WEBgithub.com/swagger-api/swagger-ui/issues/1863
WEB