Miggo Logo

CVE-2021-46708: Spoofing attack in swagger-ui-dist

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.40582%
Published
3/12/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
swagger-ui-distnpm< 4.1.34.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The CWE-1021 indicates improper frame/UI layer restrictions. The vulnerability describes clickjacking through malicious site embedding. swagger-ui-dist versions <4.1.3 likely contained an index.html file without: 1) frame-breaker scripts checking window.top !== window.self 2) proper X-Frame-Options headers. The patched version 4.1.3 would have added these protections. While exact pre-patch code isn't available, the vulnerability pattern strongly matches missing frame protection in the main UI entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** sw****r-ui-*ist p**k*** ***or* *.*.* *or No**.js *oul* *llow * r*mot* *tt**k*r to *ij**k t** *li*kin* **tion o* t** vi*tim. *y p*rsu**in* * vi*tim to visit * m*li*ious W** sit*, * r*mot* *tt**k*r *oul* *xploit t*is vuln*r**ility to *ij**k t** vi*

Reasoning

T** *W*-**** in*i**t*s improp*r *r*m*/UI l*y*r r*stri*tions. T** vuln*r**ility **s*ri**s *li*kj**kin* t*rou** m*li*ious sit* *m****in*. `sw****r-ui-*ist` v*rsions <*.*.* lik*ly *ont*in** *n `in**x.*tml` *il* wit*out: *) *r*m*-*r**k*r s*ripts ****kin*