Description
An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS.
Remediation
References
https://github.com/maptiler/tileserver-gl/issues/461
http://packetstormsecurity.com/files/162193/Tileserver-gl-3.0.0-Cross-Site-Scripting.html
Related Vulnerabilities
CVE-2020-28449 Vulnerability in npm package decal
CVE-2015-6584 Vulnerability in npm package datatables
CVE-2023-26049 Vulnerability in maven package org.eclipse.jetty:jetty-server
CVE-2021-43785 Vulnerability in npm package @joeattardi/emoji-button
CVE-2021-21350 Vulnerability in maven package com.thoughtworks.xstream:xstream