Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Swagger Editor 2.9.9 Cross Site Scripting

🗓️ 03 May 2016 00:00:00Reported by Julien AhrensType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 38 Views

Swagger Editor v2.9.9 "description" Key DOM-based Cross-Site Scripting. Vulnerability in importing remote YAML/JSON files allows unauthenticated script injection

Code
`Swagger Editor v2.9.9 "description" Key DOM-based Cross-Site Scripting  
  
RCE Security Advisory  
https://www.rcesecurity.com  
  
  
1. ADVISORY INFORMATION  
=======================  
Product: Swagger Editor  
Vendor URL: https://github.com/swagger-api/swagger-editor  
Type: Cross-Site Scripting [CWE-79]  
Date found: 2015-04-07  
Date published: 2016-05-03  
CVSSv3 Score: 6.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)  
CVE: -  
  
  
2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.  
  
  
3. VERSIONS AFFECTED  
====================  
Swagger Editor v2.9.9 (latest)  
older versions may be affected too.  
  
  
4. INTRODUCTION  
===============  
Swagger Editor lets you edit Swagger API specifications in YAML inside your  
browser and to preview documentations in real time. Valid Swagger JSON  
descriptions can then be generated and used with the full Swagger tooling  
(code generation, documentation, etc).  
  
(from the vendor's homepage)  
  
  
5. VULNERABILITY DETAILS  
========================  
The application "Swagger Editor" offers the functionality to import Swagger  
API specifications via a remote YAML/JSON file, but does not properly  
validate the "description" key within the imported specification file, which  
could lead to an unauthenticated DOM-based Cross-Site Scripting  
vulnerability.  
  
The following Proof-of-Concept YAML file triggers this vulnerability:  
  
swagger: '2.0'  
info:  
version: 1.0.0  
title: Echo  
description: '<script>alert(document.domain)</script>'  
paths:  
/:  
get:  
responses:  
'200':  
description: Echo GET  
  
  
6. RISK  
=======  
To successfully exploit this vulnerability, the user must be tricked into  
importing an arbitrary JSON or YAML file either via the file system or  
via a  
remote URL.  
  
The vulnerability can be used to temporarily embed arbitrary script code  
into the context of the Swagger Editor interface, which offers a wide range  
of possible attacks such as client-side context manipulation or attacking  
the browser and its components.  
  
  
7. SOLUTION  
===========  
None.  
  
  
8. REPORT TIMELINE  
==================  
2015-04-07: Discovery of the vulnerability  
2015-04-07: Notified vendor via contact addresses on GitHub  
2015-04-14: Notified vendor via contact addresses on GitHub  
2015-04-23: Notified vendor via contact addresses on GitHub  
2015-05-02: Notified vendor via contact addresses on GitHub  
2015-05-02: Vendor states that creating a public GitHub issue is the  
proper way  
according to their policy  
2016-05-03: Created https://github.com/swagger-api/swagger-editor/issues/908  
2016-05-03: Advisory released  
  
  
9. REFERENCES  
-------------  
https://github.com/swagger-api/swagger-editor/issues/908  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 May 2016 00:00Current
swagger editorcross-site scriptingrce security advisoryyamljsondom-basedvulnerabilityimportingremote url
38