Description

An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS.

Remediation

References

http://packetstormsecurity.com/files/162193/Tileserver-gl-3.0.0-Cross-Site-Scripting.html

https://github.com/maptiler/tileserver-gl/issues/461

Related Vulnerabilities

CVE-2018-3737 Vulnerability in npm package sshpk

CVE-2022-25847 Vulnerability in npm package serve-lite

CVE-2021-29451 Vulnerability in maven package com.manydesigns:portofino-core

CVE-2022-37767 Vulnerability in maven package io.pebbletemplates:pebble

CVE-2020-11022 Vulnerability in maven package org.webjars.bowergithub.jquery:jquery

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Exploit Third Party Advisory VDB Entry