Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| swagger-ui(npm) | 0 | 4.1.3 | N/A |
| org.webjars:swagger-ui(Maven) | 0 | 4.1.3 | N/A |
CVSS Metrics
