CVE-2023-50265 Bazarr Arbitrary file read in /api/swaggerui/static endpoint

Bazarr manages and downloads subtitles. Prior to 1.3.1, the /api/swaggerui/static endpoint in bazarr/app/ui.py does not validate the user-controlled filename variable and uses it in the sendfile function, which leads to an arbitrary file read on the system. This issue is fixed in version 1.3.1...

CVE-2023-50265 Bazarr Arbitrary file read in /api/swaggerui/static endpoint

Bazarr manages and downloads subtitles. Prior to 1.3.1, the /api/swaggerui/static endpoint in bazarr/app/ui.py does not validate the user-controlled filename variable and uses it in the sendfile function, which leads to an arbitrary file read on the system. This issue is fixed in version 1.3.1...

Security Bulletin: A security vulnerability has been identified in SwaggerUI shipped with IBM Tivoli Netcool Impact (CVE-2018-25031, 221508)

Summary SwaggerUI is shipped with IBM Tivoli Netcool Impact. Information about a security vulnerability affecting SwaggerUI has been published in a security bulletin. Vulnerability Details CVEID: CVE-2018-25031 DESCRIPTION: swagger-ui could allow a remote attacker to conduct spoofing attacks. By...

Clickjacking

swagger-ui, is vulnerable to clickjacking. It was possible to perform a clickjacking attack due to the lack of validation in the SwaggerUI function allowing a remote attacker to exploit and hijack victim click actions...

Server side request forgery in SwaggerUI

SwaggerUI supports displaying remote OpenAPI definitions through the ?url parameter. This enables robust demonstration capabilities on sites like petstore.swagger.io, editor.swagger.io, and similar sites, where users often want to see what their OpenAPI definitions would look like rendered...