1. Home
  2. Vulnerabilities
  3. CVE-2019-17495

CVE-2019-17495

CVSS v3.1 9.8 (Critical)
98% Progress
CVSS v2.0 7.5 (High)
75% Progress
EPSS 1.74 % (88th)
1.74% Progress
Affected Products 6
Advisories 2
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

Weaknesses
CWE-352
Cross-Site Request Forgery (CSRF)
CVE Status
PUBLISHED
CNA
MITRE
Published Date
2019-10-10 22:15:10
(5 years ago)
Updated Date
2023-11-07 03:06:18
(10 months ago)

Affected Products

Oracle

Smartbear

Configuration #1

    CPE23 From Up To
  Smartbear Swagger Ui prior 3.23.11 version cpe:2.3:a:smartbear:swagger_ui < 3.23.11

Configuration #2

    CPE23 From Up To
  Oracle Banking Apis from 18.1 version and 18.3 and prior versions cpe:2.3:a:oracle:banking_apis >= 18.1 <= 18.3
  Oracle Banking Apis 19.1 cpe:2.3:a:oracle:banking_apis:19.1
  Oracle Banking Apis 19.2 cpe:2.3:a:oracle:banking_apis:19.2
  Oracle Banking Apis 20.1 cpe:2.3:a:oracle:banking_apis:20.1
  Oracle Banking Apis 21.1 cpe:2.3:a:oracle:banking_apis:21.1
  Oracle Banking Digital Experience from 18.1 version and 18.3 and prior versions cpe:2.3:a:oracle:banking_digital_experience >= 18.1 <= 18.3
  Oracle Banking Digital Experience 19.1 cpe:2.3:a:oracle:banking_digital_experience:19.1
  Oracle Banking Digital Experience 19.2 cpe:2.3:a:oracle:banking_digital_experience:19.2
  Oracle Banking Digital Experience 20.1 cpe:2.3:a:oracle:banking_digital_experience:20.1
  Oracle Banking Digital Experience 21.1 cpe:2.3:a:oracle:banking_digital_experience:21.1
  Oracle Banking Platform from 2.4.0 version and 2.10.0 and prior versions cpe:2.3:a:oracle:banking_platform >= 2.4.0 <= 2.10.0
  Oracle Primavera Gateway from 16.2.0 version and 16.2.11 and prior versions cpe:2.3:a:oracle:primavera_gateway >= 16.2.0 <= 16.2.11
  Oracle Primavera Gateway from 17.12.0 version and 17.12.8 and prior versions cpe:2.3:a:oracle:primavera_gateway >= 17.12.0 <= 17.12.8
  Oracle Utilities Framework 4.3.0.6.0 cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0
  Oracle Utilities Framework 4.4.0.0.0 cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0
  Oracle Utilities Framework 4.4.0.2.0 cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0