Vulnerable Library - swagger-ui-standalone-preset-3.19.3.js
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.19.3/swagger-ui-standalone-preset.js
Found in HEAD commit: 74c673a06bd75b265cded5a04bc7fb11c78a5d8a
Vulnerabilities
| Vulnerability |
Severity |
CVSS |
Dependency |
Type |
Fixed in (swagger-ui-standalone-preset version) |
Remediation Possible** |
| CVE-2019-17495 |
Critical |
9.8 |
swagger-ui-standalone-preset-3.19.3.js |
Direct |
swagger-ui - 3.23.11, io.springfox:springfox-swagger-ui:2.10.0 |
❌ |
| WS-2019-0172 |
Medium |
6.5 |
swagger-ui-standalone-preset-3.19.3.js |
Direct |
swagger-ui - 3.20.9,swagger-api/swagger-ui - v/3.18.0,swagger-ui - 3.20.9,kevupton/auto-swagger-ui - v0.0.1,swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/dompurify-3.0.8,zhaojunlike/think-swagger - 1.0.0,esandri/swagger-ui-big - v2.0.0,swagger-api/swagger-ui - dev-fix/xml-oneOf,swagger-api/swagger-ui - dev-issue-5148,dreamfactory/df-swagger-ui - 3.3.1,swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/babel/runtime-corejs3-7.22.3,westhack/think-swagger - no_fix,3.20.9,swagger-api/swagger-ui - 3.3.1,swagger-api/swagger-ui - dev-fix-null-value-parsing,dreamfactory/df-swagger-ui - 0.2.0,dreamfactory/df-swagger-ui - v1.0,swagger-api/swagger-ui - dev-facelift,esandri/swagger-ui-big - v3.0.0,swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/mocha-9.0.2,swagger-api/swagger-ui - v3.20.9,esandri/swagger-ui-big - no_fix,westhack/think-swagger - 1.0.0,kevupton/auto-swagger-ui - no_fix |
❌ |
| CVE-2018-25031 |
Medium |
4.3 |
swagger-ui-standalone-preset-3.19.3.js |
Direct |
swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-17495
Vulnerable Library - swagger-ui-standalone-preset-3.19.3.js
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.19.3/swagger-ui-standalone-preset.js
Dependency Hierarchy:
- ❌ swagger-ui-standalone-preset-3.19.3.js (Vulnerable Library)
Found in HEAD commit: 74c673a06bd75b265cded5a04bc7fb11c78a5d8a
Found in base branch: AltoroJ-3.2
Vulnerability Details
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.
Publish Date: 2019-10-10
URL: CVE-2019-17495
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/maven/io.springfox/springfox-swagger-ui/CVE-2019-17495.yml
Release Date: 2019-10-10
Fix Resolution: swagger-ui - 3.23.11, io.springfox:springfox-swagger-ui:2.10.0
WS-2019-0172
Vulnerable Library - swagger-ui-standalone-preset-3.19.3.js
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.19.3/swagger-ui-standalone-preset.js
Dependency Hierarchy:
- ❌ swagger-ui-standalone-preset-3.19.3.js (Vulnerable Library)
Found in HEAD commit: 74c673a06bd75b265cded5a04bc7fb11c78a5d8a
Found in base branch: AltoroJ-3.2
Vulnerability Details
swagger-ui before 3.20.9 fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript. that leads to Cross-Site Scripting
Publish Date: 2026-05-27
URL: WS-2019-0172
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.mend.io/vulnerability-database/WS-2019-0172
Release Date: 2026-05-14
Fix Resolution: swagger-ui - 3.20.9,swagger-api/swagger-ui - v/3.18.0,swagger-ui - 3.20.9,kevupton/auto-swagger-ui - v0.0.1,swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/dompurify-3.0.8,zhaojunlike/think-swagger - 1.0.0,esandri/swagger-ui-big - v2.0.0,swagger-api/swagger-ui - dev-fix/xml-oneOf,swagger-api/swagger-ui - dev-issue-5148,dreamfactory/df-swagger-ui - 3.3.1,swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/babel/runtime-corejs3-7.22.3,westhack/think-swagger - no_fix,3.20.9,swagger-api/swagger-ui - 3.3.1,swagger-api/swagger-ui - dev-fix-null-value-parsing,dreamfactory/df-swagger-ui - 0.2.0,dreamfactory/df-swagger-ui - v1.0,swagger-api/swagger-ui - dev-facelift,esandri/swagger-ui-big - v3.0.0,swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/mocha-9.0.2,swagger-api/swagger-ui - v3.20.9,esandri/swagger-ui-big - no_fix,westhack/think-swagger - 1.0.0,kevupton/auto-swagger-ui - no_fix
CVE-2018-25031
Vulnerable Library - swagger-ui-standalone-preset-3.19.3.js
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.19.3/swagger-ui-standalone-preset.js
Dependency Hierarchy:
- ❌ swagger-ui-standalone-preset-3.19.3.js (Vulnerable Library)
Found in HEAD commit: 74c673a06bd75b265cded5a04bc7fb11c78a5d8a
Found in base branch: AltoroJ-3.2
Vulnerability Details
Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.
Publish Date: 2022-03-11
URL: CVE-2018-25031
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qrmm-w75w-3wpx
Release Date: 2022-03-11
Fix Resolution: swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.19.3/swagger-ui-standalone-preset.js
Found in HEAD commit: 74c673a06bd75b265cded5a04bc7fb11c78a5d8a
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - swagger-ui-standalone-preset-3.19.3.js
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.19.3/swagger-ui-standalone-preset.js
Dependency Hierarchy:
Found in HEAD commit: 74c673a06bd75b265cded5a04bc7fb11c78a5d8a
Found in base branch: AltoroJ-3.2
Vulnerability Details
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.
Publish Date: 2019-10-10
URL: CVE-2019-17495
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/maven/io.springfox/springfox-swagger-ui/CVE-2019-17495.yml
Release Date: 2019-10-10
Fix Resolution: swagger-ui - 3.23.11, io.springfox:springfox-swagger-ui:2.10.0
Vulnerable Library - swagger-ui-standalone-preset-3.19.3.js
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.19.3/swagger-ui-standalone-preset.js
Dependency Hierarchy:
Found in HEAD commit: 74c673a06bd75b265cded5a04bc7fb11c78a5d8a
Found in base branch: AltoroJ-3.2
Vulnerability Details
swagger-ui before 3.20.9 fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript. that leads to Cross-Site Scripting
Publish Date: 2026-05-27
URL: WS-2019-0172
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.mend.io/vulnerability-database/WS-2019-0172
Release Date: 2026-05-14
Fix Resolution: swagger-ui - 3.20.9,swagger-api/swagger-ui - v/3.18.0,swagger-ui - 3.20.9,kevupton/auto-swagger-ui - v0.0.1,swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/dompurify-3.0.8,zhaojunlike/think-swagger - 1.0.0,esandri/swagger-ui-big - v2.0.0,swagger-api/swagger-ui - dev-fix/xml-oneOf,swagger-api/swagger-ui - dev-issue-5148,dreamfactory/df-swagger-ui - 3.3.1,swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/babel/runtime-corejs3-7.22.3,westhack/think-swagger - no_fix,3.20.9,swagger-api/swagger-ui - 3.3.1,swagger-api/swagger-ui - dev-fix-null-value-parsing,dreamfactory/df-swagger-ui - 0.2.0,dreamfactory/df-swagger-ui - v1.0,swagger-api/swagger-ui - dev-facelift,esandri/swagger-ui-big - v3.0.0,swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/mocha-9.0.2,swagger-api/swagger-ui - v3.20.9,esandri/swagger-ui-big - no_fix,westhack/think-swagger - 1.0.0,kevupton/auto-swagger-ui - no_fix
Vulnerable Library - swagger-ui-standalone-preset-3.19.3.js
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.19.3/swagger-ui-standalone-preset.js
Dependency Hierarchy:
Found in HEAD commit: 74c673a06bd75b265cded5a04bc7fb11c78a5d8a
Found in base branch: AltoroJ-3.2
Vulnerability Details
Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.
Publish Date: 2022-03-11
URL: CVE-2018-25031
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-qrmm-w75w-3wpx
Release Date: 2022-03-11
Fix Resolution: swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3