Invoiceninja: Swagger-ui XSS

Created on 17 Sep 2019  路  3Comments  路  Source: invoiceninja/invoiceninja

I've just received a note from my webhost regarding a CVE for Swagger-UI <2.2.1. It turns out that Swagger-UI v2.1.1 is included in Invoice Ninja and is subject to limited XSS.

My webhost is auto-flagging and blocking the file "for me" but haven't dug in enough to see what impacts it would have to keep it blocked/update it.

CVE details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5682

** Note, first issue report ever so hope I'm not breaking any unknown (to me) rules/formatting/etc :)

question
Source
picture Baledin

All 3 comments

@Baledin it won't impact on the functionality of your intstallation if they have blocked this 'file'

I don't think this CVE affects us at all, but they've marked it as a positive because it has the 'potential' to be a security flaw.

turbo124 picture turbo124 on 17 Sep 2019

@turbo124 Thanks for the response. Based on my reading it looked like they had to have already compromised the system to exploit this CVE so I was more concerned that it would impact system usage if the file was blocked.

Cheers!

Baledin picture Baledin on 17 Sep 2019
👍1

No probs, i'm going close this issue. Let us know if there is anything else.

turbo124 picture turbo124 on 17 Sep 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

popindavibe picture popindavibe  路  5Comments
WilliamMiceli picture WilliamMiceli  路  4Comments
ThomasKujawa picture ThomasKujawa  路  3Comments
lexzz picture lexzz  路  5Comments
FBachofner picture FBachofner  路  5Comments