Login Sign Up

CVE-2021-23370

7.5 HIGH
Cross-Site Scripting

📋 TL;DR

CVE-2021-23370 is a vulnerability in the Swiper JavaScript library that allows cross-site scripting (XSS) attacks. Attackers can inject malicious scripts through specially crafted input, which execute in users' browsers when they interact with affected Swiper components. This affects any web application using vulnerable versions of Swiper.

💻 Affected Systems

Products:
  • Swiper JavaScript library
Versions: All versions before 6.5.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any web application using Swiper for carousels, sliders, or touch interfaces. Vulnerability is in the core library.

📦 What is this software?

Swiper by Swiperjs

View all CVEs affecting Swiper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full account takeover, session hijacking, credential theft, or malware distribution to all users of affected web applications.

🟠

Likely Case

Limited XSS attacks leading to session theft, defacement, or data exfiltration from users who interact with malicious content.

🟢

If Mitigated

Minimal impact with proper content security policies, input validation, and output encoding in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XSS vulnerabilities are commonly exploited. The fix commit shows specific input validation issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.1

Vendor Advisory: https://github.com/nolimits4web/swiper/commit/9dad2739b7474f383474773d5ab898a0c29ac178

Restart Required: No

Instructions:

1. Update Swiper dependency to version 6.5.1 or later. 2. For npm: 'npm update swiper'. 3. For yarn: 'yarn upgrade swiper'. 4. For direct downloads, replace swiper.js/swiper.min.js with patched version. 5. Clear browser caches and redeploy applications.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Content-Security-Policy: script-src 'self'

Input Sanitization

all

Sanitize all user inputs before passing to Swiper components

🧯 If You Can't Patch

  • Implement strict Content Security Policy with script-src directives
  • Disable or remove Swiper components from critical authentication/transaction flows

🔍 How to Verify

Check if Vulnerable:

Check package.json or swiper version in node_modules. If version < 6.5.1, vulnerable.

Check Version:

npm list swiper | grep swiper

Verify Fix Applied:

Confirm swiper version is 6.5.1 or higher. Test XSS payloads no longer execute.

📡 Detection & Monitoring

Log Indicators:

  • Unusual script tags in Swiper-related requests
  • JavaScript errors from swiper.min.js

Network Indicators:

  • Suspicious script sources in Swiper component responses

SIEM Query:

source="web_server" AND (swiper OR "swiper.min.js") AND (script OR javascript)

📊 Metadata

CVE ID: CVE-2021-23370
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: April 12, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON