How severe is CVE-2019-17495?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2019-17495?

This is classified as CWE-352, which is a common weakness in software security.

CVE-2019-17495 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

Related Vulnerabilities

CVE-2016-9866

CRITICAL

CVSS:9.8(Critical)

An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4...

CWE-3522016

CVE-2017-16780

CRITICAL

CVSS:9.8(Critical)

The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.

CWE-3522017

CVE-2017-5959

CRITICAL

CVSS:9.8(Critical)

CSRF token bypass in GeniXCMS before 1.0.2 could result in escalation of privileges. The forgotpassword.php page can be used to acquire a token.

CWE-3522017

CVE-2017-6080

CRITICAL

CVSS:9.8(Critical)

An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protection mechanism involving HTTP Access-Control headers. To exploit the vulnerability...

CWE-3522017

CVE-2018-18934

CRITICAL

CVSS:9.8(Critical)

An issue was discovered in PopojiCMS v2.0.1. admin_component.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing a...

CWE-3522018

CVE-2019-14551

CRITICAL

CVSS:9.8(Critical)

Das Q before 2019-08-02 allows web sites to execute arbitrary code on client machines, as demonstrated by a cross-origin /install request with an attacker-controlled releaseUrl, which triggers downloa...

CWE-3522019