Swagger-UI before 2.2.1 has XSS via the Default field in the Definitions section. External Reference: https://community.rapid7.com/community/infosec/blog/2016/09/02/r7-2016-19-persistent-xss-via-unescaped-parameters-in-swagger-ui
This issue was fixed internally within Red Hat as a part of CVE-2016-1000229 and the fix was released with fuse 6.3 r2. https://bugzilla.redhat.com/show_bug.cgi?id=1360275
This vulnerability is out of security support scope for the following products: * Red Hat JBoss A-MQ 6 * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.