CVE-2019-17495
Cross-site scripting in Swagger-UI
9.8
CRITICAL
CVSS 3.1
EPSS 11.6%
Description
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.
How to fix CVE-2019-17495
To remediate CVE-2019-17495, upgrade the affected package to a fixed version below.
- —upgrade to 2.10.0 or later
- —upgrade to 3.23.11 or later
- —upgrade to 3.23.11 or later
- —upgrade to 3.23.11 or later
Is CVE-2019-17495 being exploited?
Moderate — EPSS is 11.6%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (4)
- from 0, < 2.10.0
- from 0, < 3.23.11
- from 0, < 3.23.11
- from 0, < 3.23.11
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |