CVE-2019-17495

Name of the Vulnerable Software and Affected Versions Swagger UI versions prior to 3.23.11

Description The issue is related to a Cascading Style Sheets (CSS) injection vulnerability in Swagger UI. This vulnerability can be exploited by a remote attacker to perform a cross-site scripting attack. The vulnerability allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. The product allows the embedding of untrusted JSON data from remote servers, and it was discovered that the <style>@import method within the JSON data is a functional attack method.

Recommendations For Swagger UI versions prior to 3.23.11, update to version 3.23.11 or later to resolve the issue. As a temporary workaround, consider restricting the embedding of untrusted JSON data from remote servers to minimize the risk of exploitation. Avoid using the <style>@import method within the JSON data until the issue is resolved.