CVE-2019-17495

Exploit

EPSS 13.71%
Published 10.10.2019 22:15:10
Last modified 21.11.2024 04:32:22
Source cve@mitre.org
Teams watchlist Login
Open Login

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

Affected products Warnungen 0 Metrics 3 CWE 1 References 14

Data is provided by the National Vulnerability Database (NVD)

Smartbear ≫ Swagger Ui Version < 3.23.11

Oracle ≫ Banking Apis Version >= 18.1 <= 18.3

Oracle ≫ Banking Apis Version19.1

Oracle ≫ Banking Apis Version19.2

Oracle ≫ Banking Apis Version20.1

Oracle ≫ Banking Apis Version21.1

Oracle ≫ Banking Digital Experience Version >= 18.1 <= 18.3

Oracle ≫ Banking Digital Experience Version19.1

Oracle ≫ Banking Digital Experience Version19.2

Oracle ≫ Banking Digital Experience Version20.1

Oracle ≫ Banking Digital Experience Version21.1

Oracle ≫ Banking Platform Version >= 2.4.0 <= 2.10.0

Oracle ≫ Primavera Gateway Version >= 16.2.0 <= 16.2.11

Oracle ≫ Primavera Gateway Version >= 17.12.0 <= 17.12.8

Oracle ≫ Utilities Framework Version4.3.0.6.0

Oracle ≫ Utilities Framework Version4.4.0.0.0

Oracle ≫ Utilities Framework Version4.4.0.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	13.71%	0.94

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

https://github.com/swagger-api/swagger-ui/releases/tag/v3.23.11

Release Notes