The following flaw was found in the swagger-ui library: Swagger-ui contains a cross site scripting (XSS) vulnerability in the key names for the following object path in the JSON document: .definitions.<USER_DEFINED>.properties.<INJECTABLE_KEY_NAME> Supplying a key name with script tags causes arbitrary code execution. In addition it is possible to load the arbitrary JSON files remotely via the URL query-string parameter. Upstream bug: https://github.com/swagger-api/swagger-ui/issues/1865 External References: https://nodesecurity.io/advisories/126
DWF assignment: https://github.com/distributedweaknessfiling/DWF-Database/commit/2d8e72d5449dd1a1f8b89e365e326a0356e38fb0
This issue has been addressed in the following products: Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868