GMS-2016-45: XSS in key names

July 21, 2016

Swagger-ui contains a cross site scripting (XSS) vulnerability in the key names for the following object path in the JSON document: .definitions.{USER_DEFINED}.properties.{INJECTABLE_KEY_NAME}. Supplying a key name with script tags causes arbitrary code execution. In addition it is possible to load the arbitrary JSON files remotely via the URL query-string parameter.

References

en.wikipedia.org/wiki/Content_Security_Policy
github.com/swagger-api/swagger-ui/issues/1865

Code Behaviors & Features

Detect and mitigate GMS-2016-45 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →