| CARVIEW |
Select Language
HTTP/2 200
date: Thu, 31 Jul 2025 01:05:40 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"1c7f4040bcd08868adeea3da5cf299f1"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=FlmzX%2F19gsHGX%2F77TnTnY8zhprQnIfO1takO44SqZ%2F%2FJxUfkidR9JC098zjBqhfI0U2TNLweB%2FJu6BiKO9h4OFAkZxqAuSnpZB6FF%2Bnt2y8crZ5lVgSPdsZ8EmEsV51Wgz1ABFeMeuwczvav9Vfnpo3QicnhW9Qn5R4Do6ljSZh%2BKZ5CoAAVu3Mwhe6rm4UhIAgL5%2Ft0x%2B4U%2BAtKOsL71WFPS5PCmrZ9bBfLw4jTdjI0CHpV%2B5rMTHLPCt7Y%2BS14OuohfvL1%2BnpXbB3CJtFDag%3D%3D--e0OgV2Qu6uqTPYaj--yCKx%2B9%2FpRl%2FWm2d23RiO2Q%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.1404731003.1753923940; Path=/; Domain=github.com; Expires=Fri, 31 Jul 2026 01:05:40 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Fri, 31 Jul 2026 01:05:40 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: E0E6:226082:1123C7:1A2266:688AC164
Cross-site scripting in Swagger-UI · CVE-2019-17495 · GitHub Advisory Database · GitHub
Skip to content
Navigation Menu
CVE-2019-17495
{{ message }}
Cross-site scripting in Swagger-UI
Critical severity
GitHub Reviewed
Published
Oct 15, 2019
to the GitHub Advisory Database
•
Updated Aug 26, 2024
Description
Published by the National Vulnerability Database
Oct 10, 2019
Reviewed
Oct 14, 2019
Published to the GitHub Advisory Database
Oct 15, 2019
Last updated
Aug 26, 2024
Severity
Critical
/ 10
CVSS v4 base metrics
Exploitability Metrics
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User interaction
None
Vulnerable System Impact Metrics
Confidentiality
High
Integrity
High
Availability
High
Subsequent System Impact Metrics
Confidentiality
None
Integrity
None
Availability
None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS score
(94th percentile)
Weaknesses
Weakness CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.Weakness CWE-352
Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. Learn more on MITRE.CVE ID
CVE-2019-17495
GHSA ID
GHSA-c427-hjc3-wrfw
Source code
Credits
-
mustafanaa Analyst
Loading
Checking history
See something to contribute?
Suggest improvements for this vulnerability.
You can’t perform that action at this time.
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.
References