Swagger Editor v2.9.9 "description" Key DOM-based Cross-Site Scripting RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Swagger Editor Vendor URL: https://github.com/swagger-api/swagger-editor Type: Cross-Site Scripting [CWE-79] Date found: 2015-04-07 Date published: 2016-05-03 CVSSv3 Score: 6.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVE: - 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Swagger Editor v2.9.9 (latest) older versions may be affected too. 4. INTRODUCTION =============== Swagger Editor lets you edit Swagger API specifications in YAML inside your browser and to preview documentations in real time. Valid Swagger JSON descriptions can then be generated and used with the full Swagger tooling (code generation, documentation, etc). (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The application "Swagger Editor" offers the functionality to import Swagger API specifications via a remote YAML/JSON file, but does not properly validate the "description" key within the imported specification file, which could lead to an unauthenticated DOM-based Cross-Site Scripting vulnerability. The following Proof-of-Concept YAML file triggers this vulnerability: swagger: '2.0' info: version: 1.0.0 title: Echo description: '' paths: /: get: responses: '200': description: Echo GET 6. RISK ======= To successfully exploit this vulnerability, the user must be tricked into importing an arbitrary JSON or YAML file either via the file system or via a remote URL. The vulnerability can be used to temporarily embed arbitrary script code into the context of the Swagger Editor interface, which offers a wide range of possible attacks such as client-side context manipulation or attacking the browser and its components. 7. SOLUTION =========== None. 8. REPORT TIMELINE ================== 2015-04-07: Discovery of the vulnerability 2015-04-07: Notified vendor via contact addresses on GitHub 2015-04-14: Notified vendor via contact addresses on GitHub 2015-04-23: Notified vendor via contact addresses on GitHub 2015-05-02: Notified vendor via contact addresses on GitHub 2015-05-02: Vendor states that creating a public GitHub issue is the proper way according to their policy 2016-05-03: Created https://github.com/swagger-api/swagger-editor/issues/908 2016-05-03: Advisory released 9. REFERENCES ------------- https://github.com/swagger-api/swagger-editor/issues/908