CVE-2016-1000226: 
JavaScript vulnerability analysis and mitigation

Swagger-UI versions prior to 2.2.1 were found to be vulnerable to cross-site scripting (XSS) attacks through the 'consumes' and 'produces' parameters in the swagger JSON document. The vulnerability was discovered and disclosed in January 2016, affecting all versions of swagger-ui before version 2.2.1 (GitHub Advisory).

The vulnerability exists in both the 'consumes' and 'produces' parameters of the swagger JSON document for a given API. The content types in these parameters were not properly escaped, allowing for XSS payload injection. Additionally, swagger-ui allows users to load arbitrary swagger JSON documents via the query string parameter 'url', which expands the attack surface by allowing attackers to exploit this vulnerability against any user who can be convinced to visit a crafted link (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of the victim's browser when they view a maliciously crafted Swagger documentation page. This is particularly concerning as swagger-ui allows loading of arbitrary swagger JSON documents via URL parameters, making it possible to target any user who can be convinced to visit a specially crafted link (GitHub Advisory).

The recommended mitigation is to update to swagger-ui version 2.2.1 or later, which includes a fix for this vulnerability. The fix was implemented through proper escaping of content types in the affected parameters (GitHub Advisory).