CVE-2019-17495

CWE-352 — Cross-Site Request Forgery (CSRF)CWE-79 — Cross-site Scripting (XSS)8 documents5 sources

Severity

9.8CRITICAL

EPSS

11.6%

top 6.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Smartbear Swagger UI Oracle Banking Apis Oracle Banking Digital Experience +3 more

Timeline

PublishedOct 10

Latest updateJul 15

Description

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that @import within the JSON data was a functional attack method.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages10 packages

▶npmswagger-ui< 3.23.11

▶NVDsmartbear/swagger_ui< 3.23.11

▶Mavenorg.webjars:swagger-ui< 3.23.11

▶Mavenorg.webjars.npm:swagger-ui< 3.23.11

▶Mavenio.springfox:springfox-swagger-ui< 2.10.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Cross-site scripting in Swagger-UI↗2019-10-15

▶

GHSA

Cross-site scripting in Swagger-UI↗2019-10-15

▶

CVEList

CVE-2019-17495: A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3↗2019-10-10

▶

📋Vendor Advisories

Oracle

Oracle Oracle Commerce Risk Matrix: Framework, Experience Manager (Swagger UI) — CVE-2019-17495↗2022-07-15

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Framework (Swagger UI) — CVE-2019-17495↗2022-01-15

▶

Oracle

Oracle Oracle Utilities Applications Risk Matrix: General (Swagger UI) — CVE-2019-17495↗2021-04-15

▶

Oracle

Oracle Oracle Construction and Engineering Risk Matrix: Admin (Swagger UI) — CVE-2019-17495↗2020-10-15

▶