3 matches found
CVE-2019-17495
CVE-2019-17495 is a CSS injection flaw in Swagger UI prior to 3.23.11 using the Relative Path Overwrite (RPO) technique that can lead to exfiltration of sensitive data (e.g., CSRF tokens) via CSS-based input field values. Concrete details across connected docs show multiple IBM advisories referen...
CVE-2018-25031
CVE-2018-25031 affects Swagger UI 4.1.2 and earlier. A remote attacker could persuade a user to open a crafted URL to cause spoofing by displaying remote OpenAPI definitions. The issue was claimed fixed in 4.1.3, but third-party reports indicate it may still be present in 4.1.3 and potentially la...
CVE-2024-22207
CVE-2024-22207 affects the fastify-swagger-ui Fastify plugin. Before version 2.1.0, the default configuration of @fastify/swagger-ui without a baseDir exposes all files in the module directory via HTTP routes, enabling information disclosure. The issue is resolved in v2.1.0; as a workaround, conf...