Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2019-17495

CVSSv4: NA | CVSSv3: 9.8 | CVSSv2: 7.5 | VMScore: 1000 | EPSS: 0.01501 | KEV: Not Included
Published: 10/10/2019 Updated: 21/11/2024

Vulnerability Summary

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI prior to 3.23.11 allows malicious users to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

smartbear swagger ui

oracle banking apis

oracle banking apis 19.1

oracle banking apis 19.2

oracle banking apis 20.1

oracle banking apis 21.1

oracle banking digital experience

oracle banking digital experience 19.1

oracle banking digital experience 19.2

oracle banking digital experience 20.1

oracle banking digital experience 21.1

oracle banking platform

oracle primavera gateway

oracle utilities framework 4.3.0.6.0

oracle utilities framework 4.4.0.0.0

oracle utilities framework 4.4.0.2.0

Vendor Advisories

Red Hat: Moderate: Open Liberty 20.0.0.1 Runtime security update
Synopsis Moderate: Open Liberty 20001 Runtime security update Type/Severity Security Advisory: Moderate Topic A security update is now available for Open Liberty 20001 from the Customer PortalRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerabilit ...

Github Repositories

https://github.com/mrk-andreev/tornado-swagger

Swagger API Documentation builder for tornado server.

tornado-swagger PyPI Linux Windows tornado-swagger: Swagger API Documentation builder for tornado server Inspired byaiohttp-swaggerpackage (based on this package sources) Documentation githubcom/mrk-andreev/tornado-swagger/wiki Code githubcom/mrk-andreev/tornado-swagger Issues githubcom/mrk-andreev/tornado

https://github.com/ffflabs/loopback-swaggerUI4-example

Example of using swagger-ui v4 with loopback3

loopback-swagger-ui4-example Loopback 3's explorer component uses Swagger-UI v2, which has several security advisories reported such as GitHub advisory CVE-2019-17495 wwwnpmjscom/advisories/985 wwwnpmjscom/advisories/976 There isn't any ongoing effort to adapt newer versions of Swagger-UI to Loopback 3, which is still widely used This repo conta

https://github.com/strongloop/loopback-component-explorer

Browse and test your LoopBack app's APIs

loopback-component-explorer ⚠️ LoopBack 3 is in Maintenance LTS mode, only critical bugs and critical security fixes will be provided (See Module Long Term Support Policy below) We urge all LoopBack 3 users to migrate their applications to LoopBack 4 as soon as possible Refer to our Migration Guide for more information on how to upgrade Overview Browse and test your Loo

https://github.com/b40yd/python2-tornado-swagger

fork tornado-swagger, remove python3 feature.

tornado-swagger PyPI Linux Windows tornado-swagger: Swagger API Documentation builder for tornado server Inspired byaiohttp-swaggerpackage (based on this package sources) Documentation githubcom/mrk-andreev/tornado-swagger/wiki Code githubcom/mrk-andreev/tornado-swagger Issues githubcom/mrk-andreev/tornado

References

CWE-352https://access.redhat.com/errata/RHSA-2020:0192https://nvd.nist.govhttps://github.com/mrk-andreev/tornado-swaggerhttps://www.first.org/epsshttps://github.com/swagger-api/swagger-ui/releases/tag/v3.23.11https://github.com/tarantula-team/CSS-injection-in-Swagger-UIhttps://lists.apache.org/thread.html/r103579b01da2d0aa0f672b88f811224bbf8ef493aaad845895955e91%40%3Ccommits.airflow.apache.org%3Ehttps://lists.apache.org/thread.html/r3acb7e494cf1aab99b6784b7c5bbddfd0d4f8a484ab534c3a61ef9cf%40%3Ccommits.airflow.apache.org%3Ehttps://lists.apache.org/thread.html/r84b327f7a8b6b28857b906c07a66dd98e1d341191fa8d7816514ef96%40%3Ccommits.airflow.apache.org%3Ehttps://lists.apache.org/thread.html/r853ffeb915a400f899de78124d4e0d77a19379d2e11bf8f4e98c624f%40%3Ccommits.airflow.apache.org%3Ehttps://lists.apache.org/thread.html/ref70b940c4f69560d29d6ba792d6c82865e74de3dcad4c92d99b1f8f%40%3Ccommits.airflow.apache.org%3Ehttps://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://github.com/swagger-api/swagger-ui/releases/tag/v3.23.11https://github.com/tarantula-team/CSS-injection-in-Swagger-UIhttps://lists.apache.org/thread.html/r103579b01da2d0aa0f672b88f811224bbf8ef493aaad845895955e91%40%3Ccommits.airflow.apache.org%3Ehttps://lists.apache.org/thread.html/r3acb7e494cf1aab99b6784b7c5bbddfd0d4f8a484ab534c3a61ef9cf%40%3Ccommits.airflow.apache.org%3Ehttps://lists.apache.org/thread.html/r84b327f7a8b6b28857b906c07a66dd98e1d341191fa8d7816514ef96%40%3Ccommits.airflow.apache.org%3Ehttps://lists.apache.org/thread.html/r853ffeb915a400f899de78124d4e0d77a19379d2e11bf8f4e98c624f%40%3Ccommits.airflow.apache.org%3Ehttps://lists.apache.org/thread.html/ref70b940c4f69560d29d6ba792d6c82865e74de3dcad4c92d99b1f8f%40%3Ccommits.airflow.apache.org%3Ehttps://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.html
Preferred Score:
CVSSv2
CVSSv2
CVSSv3
CVSSv4
EPSS
VMScore
Recommendations:
command injectionCVE-2025-1653remote code executionCVE-2023-52927qiskit sdkcivi - job board & freelance marketplace wordpress themeCVE-2025-29029tianocoreCVE-2025-24201CVE-2025-27363CVE-2024-13497analyticswpunspecified
Home
/
Search Results
/
CVE-2019-17495
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook