Affected versions of
swagger-ui are vulnerable to cross-site scripting in both the
produces parameters of the swagger JSON document for a given API.
swagger-ui allows users to load arbitrary swagger JSON documents via the query string parameter
url, allowing an attacker to exploit this attack against any user that the attacker can convince to visit a crafted link.
``` http://<USER_HOSTNAME>/swagger-ui/index.html?url=http://<MALICIOUS_HOSTNAME>/malicious-swagger-file.json ````
Update to version 2.1.5 or later.