Cross-Site Scripting in swagger-ui

Published: Sep 11, 2020
Updated: Apr 14, 2023
GHSA: <a href="https://github.com/advisories/GHSA-22q9-hqm5-mhmc" target="_blank" rel="noopener"> GHSA-22q9-hqm5-mhmc
Severity: Medium
Exploit:

Versions of swagger-ui prior to 2.2.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to encode output in GET requests. The request is meant to respond with Content-Type application/json which does not trigger the vulnerability but if the web server changes the header to text/html it may allow attackers to execute arbitrary JavaScript.