Description

An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS.

Remediation

References

http://packetstormsecurity.com/files/162193/Tileserver-gl-3.0.0-Cross-Site-Scripting.html

https://github.com/maptiler/tileserver-gl/issues/461

Related Vulnerabilities

CVE-2020-13929 Vulnerability in maven package org.apache.zeppelin:zeppelin

CVE-2021-23354 Vulnerability in npm package printf

CVE-2021-4103 Vulnerability in npm package vditor

CVE-2021-23337 Vulnerability in npm package lodash.template

CVE-2022-41928 Vulnerability in maven package org.xwiki.platform:xwiki-platform-attachment-ui

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Exploit Third Party Advisory VDB Entry