Description

An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS.

Remediation

References

http://packetstormsecurity.com/files/162193/Tileserver-gl-3.0.0-Cross-Site-Scripting.html

https://github.com/maptiler/tileserver-gl/issues/461

Related Vulnerabilities

CVE-2020-10992 Vulnerability in maven package com.linkedin.azkaban:azkaban-common

CVE-2019-9827 Vulnerability in maven package io.hawt:hawtio-system

CVE-2023-34235 Vulnerability in npm package @strapi/database

CVE-2017-16093 Vulnerability in npm package cyber-js

CVE-2021-21162 Vulnerability in maven package org.webjars.npm:electron

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Exploit Third Party Advisory VDB Entry