GHSA-CR3Q-PQGQ-M8C2 Spoofing attack in swagger-ui

Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions...

CVE-2018-25031

Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parti...

CVE-2018-25031

Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parti...

CVE-2018-25031

Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parti...

Design/Logic Flaw

Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions...

CVE-2018-25031

Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parti...

Swagger UI 输入验证错误漏洞

Swagger UI is an open source tool that supports visualizing and interacting with API resources. An input validation error vulnerability exists in Swagger UI versions prior to 4.1.3, which stems from the software's lack of filtering and escaping of user-submitted URL data. This vulnerability can b...

PT-2022-8044 · Unknown · Swagger-Ui

Name of the Vulnerable Software and Affected Versions: Swagger UI versions 4.1.2 and earlier Description: The issue allows a remote attacker to conduct spoofing attacks by persuading a victim to open a crafted URL, which could exploit this vulnerability to display remote OpenAPI definitions...

OpenAPI Unencrypted Traffic Allowed

OpenAPI specification is an API description format for REST APIs. An OpenAPI file is written in YAML or JSON and describes all the API properties like the available endpoints with the related operations or the authentication methods. As for web applications, allowing unencrypted protocols to acce...

How to Make API Security an Integral Part of Your Application Security Strategy

The farther your organization travels down the digital transformation path, the more critical API protection is to your overall security posture. Every day, your development teams are innovating; they rely more on microservices to save time and money as they automate business-to-business processe...

Server side request forgery in SwaggerUI

SwaggerUI supports displaying remote OpenAPI definitions through the ?url parameter. This enables robust demonstration capabilities on sites like petstore.swagger.io, editor.swagger.io, and similar sites, where users often want to see what their OpenAPI definitions would look like rendered...

GHSA-QRMM-W75W-3WPX Server side request forgery in SwaggerUI

SwaggerUI supports displaying remote OpenAPI definitions through the ?url parameter. This enables robust demonstration capabilities on sites like petstore.swagger.io, editor.swagger.io, and similar sites, where users often want to see what their OpenAPI definitions would look like rendered...

Swurg - Parse OpenAPI Documents Into Burp Suite For Automating OpenAPI-based APIs Security Assessments

Swurg is a Burp Suite extension designed for OpenAPI testing. The OpenAPI Specification OAS defines a standard, programming language-agnostic interface description for REST APIs, which allows both humans and computers to discover and understand the capabilities of a service without requiring acce...

Discovering Shadow APIs with Wallarm API firewall

Shadow APIs can be defined as active endpoints that you are not aware of. Some APIs are deployed but never documented. Others are services that don’t have an owner anymore. Some are even old v2 versions that have been deprecated for years, yet still exposed. Long story short: these APIs are not...

What is OpenAPI ❓ Concept, Examples and Advantages

What is OpenAPI? If there is anything that is growing anything like leaps and bounds then it’s API development and awareness towards API’s security. Whether it’s web API or mobile API, growth is significant in each domain. While we discuss API development, OpenAPI deserves a mention for sure. Thi...

GHSA-Q324-Q795-2Q5P Path traversal when using `preview-docs` when working dir contains files with question mark `?` in name

Impact preview-docs command allows path traversal if current working dir contains files with question mark ? in name and attacker knows the name. Patches It was patched starting from 1.0.0-beta.59 Workarounds Do not run openapi-cli preview-docs command in the folder which contains files with...

API8: Injection☝️ — What you need to know

API8: Injection☝️ — What you need to know Introduction API8:2019 Injection What is Injection? API’s with the following properties are open to injection flaws: When we don’t sanitize the input from the front-end we are opening ourselves to a world of problems, this would allow the user to input...

@apalchys/serverless-openapi-documentation (>=0.1.0 <=0.5.4), @conqa/serverless-openapi-documentation (>=1.0.1 <=1.0.4) +27 more potentially affected by CVE-2021-23396 via lutils (>=0.2.11 <=2.4.0)

lutils NPM version =0.2.11, =0.1.0, =1.0.1, =0.0.1, =0.1.0, =0.1.0, =0.1.0, =2.0.9, =0.3.0, =0.0.1, =0.1.9 and more Source cves: CVE-2021-23396 Source advisory: OSV:GHSA-3R8W-MPHV-2F3F...

@apalchys/serverless-openapi-documentation (>=0.1.0 <=0.5.4), @conqa/serverless-openapi-documentation (>=1.0.1 <=1.0.4) +27 more potentially affected by CVE-2021-23396 via lutils (>=0.2.11 <=2.4.0)

lutils NPM version =0.2.11, =0.1.0, =1.0.1, =0.0.1, =0.1.0, =0.1.0, =0.1.0, =2.0.9, =0.3.0, =0.0.1, =0.1.9 and more Source cves: CVE-2021-23396 Source advisory: SNYK:JS-LUTILS-1311023...

Fedora: Security Advisory for python-fastapi (FEDORA-2021-e7fabd81fb)

The remote host is missing an update for the Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...