A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
07 Nov 2023, 03:06
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2019-10-10 22:15
Updated : 2024-02-28 17:28
NVD link : CVE-2019-17495
Mitre link : CVE-2019-17495
CVE.ORG link : CVE-2019-17495
JSON object : View
Products Affected
oracle
- utilities_framework
- banking_apis
- banking_digital_experience
- primavera_gateway
- banking_platform
smartbear
- swagger_ui
CWE
CWE-352
Cross-Site Request Forgery (CSRF)