CVE-2016-5682 — Cross-Site Scripting in swagger-ui

Description

Affected versions of `swagger-ui` contain a cross-site scripting vulnerability in the key names of a specific nested object in the JSON document. ## Proof of Concept The vulnerable object structure is: ``` { "definitions": { "arbitraryVal": { "properties": { "<INJECTABLE_KEY_NAME>": "LoremIpsum" } } } } ``` Malicious JSON documents can be loaded in by providing a URL to them in the `url` query string parameter. ## Recommendation Update to version 2.2.1 or later.

How to fix CVE-2016-5682

To remediate CVE-2016-5682, upgrade the affected package to a fixed version below.

—upgrade to 2.2.1 or later

Is CVE-2016-5682 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.2.1

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-5682
PATCHgithub.com/swagger-api/swagger-ui
WEBcommunity.rapid7.com/community/infosec/blog/2016/09/02/r7-2016-19-persistent-xss-via-unescaped-parameters-in-swagger-ui
WEBgithub.com/swagger-api/swagger-ui/issues/1865