-
Bug
-
Resolution: Done
-
Medium
-
Frankfurt Release
-
None
Springfox version 2.9.2 (most recent version) has known security vulnerabilities:
- The swagger-ui package is vulnerable to untrusted window.opener object attacks . The swagger-ui.js file does not properly limit new pages opened using target='_blank' from changing the location property of the window.opener object. An attacker can exploit this by changing the location property to the URL of a malicious phishing website, thus redirecting a trusted site to the malicious one without the user knowing.
- The swagger-ui package is vulnerable to Cross-Site Scripting (XSS). The authorize function in swagger-ui.js does not sanitize the URL used for the OAuth auth flow. An attacker can exploit this by inputting malicious HTML code into the URL that would then be parsed and executed.
Note that version 2.9.2 was released over a year ago (June 2018), so it does not appear to be actively supported, which is a concern.
- mentioned in
-
Page Loading...