Skip to content

http-swagger XSS via PUT requests

Moderate severity GitHub Reviewed Published Feb 29, 2024 to the GitHub Advisory Database • Updated Mar 4, 2024

Package

gomod github.com/swaggo/http-swagger (Go)

Affected versions

< 1.2.6

Patched versions

1.2.6

Description

http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded (via httpSwagger.WrapHandler and *webdav.memFile) can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because (if a solution continued to allow PUT requests) large files could have been blocked without blocking JavaScript, or JavaScript could have been blocked without blocking large files.

References

Published by the National Vulnerability Database Feb 29, 2024
Published to the GitHub Advisory Database Feb 29, 2024
Reviewed Feb 29, 2024
Last updated Mar 4, 2024

Severity

Moderate

EPSS score

0.043%
(10th percentile)

Weaknesses

No CWEs

CVE ID

CVE-2024-25712

GHSA ID

GHSA-49w7-5r33-jm9m

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.