Swagger UI 3.14.0 < 3.38.0 Cross-Site Scripting

medium Web App Scanning Plugin ID 113267

Language:

Synopsis

Swagger UI 3.14.0 < 3.38.0 Cross-Site Scripting

Description

Swagger UI is a popular library used to beautify API specifications and render it to the users. Swagger UI versions 3.14.1 to 3.37.2 suffer from a DOM Cross-Site Scripting (XSS) vulnerability due to an outdated `DomPurify` embedded library and a feature available in the Swagger UI library itself which allows to fetch a remote API specifications file.

By crafting a malicious specification file and link it through Swagger UI, an attacker could leverage this vulnerability to execute arbitrary JavaScript in the context of the victim user and conduct advanced attacks.

Solution

Update to Swagger UI version 3.38.0 or later.

See Also

https://swagger.io/tools/swagger-ui/

https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/

Plugin Details

Severity: Medium

ID: 113267

Type: remote

Family: Component Vulnerability

Published: 7/18/2022

Updated: 7/18/2022

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS Score Source: Tenable

Vulnerability Information

CPE: cpe:2.3:a:smartbear:swagger-ui:*:*:*:*:*:*:*:*

Exploit Ease: Exploits are available

Reference Information

CWE: 79

OWASP: 2010-A2, 2013-A3, 2013-A9, 2017-A7, 2017-A9, 2021-A3, 2021-A6

WASC: Cross-Site Scripting

CAPEC: 209, 588, 591, 592, 63, 85

DISA STIG: APSC-DV-002490, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.3.3

PCI-DSS: 3.2-6.2, 3.2-6.5.7