CVE-2019-17495
published 2019-10-10CVE-2019-17495: A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that @import within the JSON data was a functional attack method.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | banking_apis | — | — |
| oracle | banking_apis | — | — |
| oracle | banking_apis | — | — |
| oracle | banking_apis | — | — |
| oracle | banking_apis | 18.1 – 18.3 | — |
| oracle | banking_digital_experience | — | — |
| oracle | banking_digital_experience | — | — |
| oracle | banking_digital_experience | — | — |
| oracle | banking_digital_experience | — | — |
| oracle | banking_digital_experience | 18.1 – 18.3 | — |
| oracle | banking_platform | 2.4.0 – 2.10.0 | — |
| oracle | primavera_gateway | 16.2.0 – 16.2.11 | — |
| oracle | primavera_gateway | 17.12.0 – 17.12.8 | — |
| oracle | utilities_framework | — | — |
| oracle | utilities_framework | — | — |
| oracle | utilities_framework | — | — |
| smartbear | swagger_ui | < 3.23.11 | 3.23.11 |