Swagger Editor 2.9.9 Cross Site Scripting

2016-05-03T00:00:00
ID PACKETSTORM:136902
Type packetstorm
Reporter Julien Ahrens
Modified 2016-05-03T00:00:00

Description

                                        
                                            `Swagger Editor v2.9.9 "description" Key DOM-based Cross-Site Scripting  
  
RCE Security Advisory  
https://www.rcesecurity.com  
  
  
1. ADVISORY INFORMATION  
=======================  
Product: Swagger Editor  
Vendor URL: https://github.com/swagger-api/swagger-editor  
Type: Cross-Site Scripting [CWE-79]  
Date found: 2015-04-07  
Date published: 2016-05-03  
CVSSv3 Score: 6.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)  
CVE: -  
  
  
2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.  
  
  
3. VERSIONS AFFECTED  
====================  
Swagger Editor v2.9.9 (latest)  
older versions may be affected too.  
  
  
4. INTRODUCTION  
===============  
Swagger Editor lets you edit Swagger API specifications in YAML inside your  
browser and to preview documentations in real time. Valid Swagger JSON  
descriptions can then be generated and used with the full Swagger tooling  
(code generation, documentation, etc).  
  
(from the vendor's homepage)  
  
  
5. VULNERABILITY DETAILS  
========================  
The application "Swagger Editor" offers the functionality to import Swagger  
API specifications via a remote YAML/JSON file, but does not properly  
validate the "description" key within the imported specification file, which  
could lead to an unauthenticated DOM-based Cross-Site Scripting  
vulnerability.  
  
The following Proof-of-Concept YAML file triggers this vulnerability:  
  
swagger: '2.0'  
info:  
version: 1.0.0  
title: Echo  
description: '<script>alert(document.domain)</script>'  
paths:  
/:  
get:  
responses:  
'200':  
description: Echo GET  
  
  
6. RISK  
=======  
To successfully exploit this vulnerability, the user must be tricked into  
importing an arbitrary JSON or YAML file either via the file system or  
via a  
remote URL.  
  
The vulnerability can be used to temporarily embed arbitrary script code  
into the context of the Swagger Editor interface, which offers a wide range  
of possible attacks such as client-side context manipulation or attacking  
the browser and its components.  
  
  
7. SOLUTION  
===========  
None.  
  
  
8. REPORT TIMELINE  
==================  
2015-04-07: Discovery of the vulnerability  
2015-04-07: Notified vendor via contact addresses on GitHub  
2015-04-14: Notified vendor via contact addresses on GitHub  
2015-04-23: Notified vendor via contact addresses on GitHub  
2015-05-02: Notified vendor via contact addresses on GitHub  
2015-05-02: Vendor states that creating a public GitHub issue is the  
proper way  
according to their policy  
2016-05-03: Created https://github.com/swagger-api/swagger-editor/issues/908  
2016-05-03: Advisory released  
  
  
9. REFERENCES  
-------------  
https://github.com/swagger-api/swagger-editor/issues/908  
  
`