Back to search
CVE-2019-17495
Published: Oct 10, 2019
Modified: Aug 5, 2024
PUBLISHED
Description
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://www.oracle.com/security-alerts/cpuoct2020.html
x_refsource_MISC
https://github.com/tarantula-team/CSS-injection-in-Swagger-UI
x_refsource_MISC
https://github.com/swagger-api/swagger-ui/releases/tag/v3.23.11
x_refsource_MISC
https://www.oracle.com/security-alerts/cpuApr2021.html
x_refsource_MISC
[airflow-commits] 20210920 [GitHub] [airflow] beltran-rubo opened a new issue #18383: CVE-2019-17495 for swagger-ui
mailing-list
x_refsource_MLIST
[airflow-commits] 20210920 [GitHub] [airflow] uranusjr commented on issue #18383: CVE-2019-17495 for swagger-ui
mailing-list
x_refsource_MLIST
[airflow-commits] 20210921 [GitHub] [airflow] beltran-rubo commented on issue #18383: CVE-2019-17495 for swagger-ui
mailing-list
x_refsource_MLIST
[airflow-commits] 20210921 [GitHub] [airflow] beltran-rubo closed issue #18383: CVE-2019-17495 for swagger-ui
mailing-list
x_refsource_MLIST
https://www.oracle.com/security-alerts/cpujan2022.html
x_refsource_MISC
https://www.oracle.com/security-alerts/cpujul2022.html
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now