Description

An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS.

Remediation

References

http://packetstormsecurity.com/files/162193/Tileserver-gl-3.0.0-Cross-Site-Scripting.html

https://github.com/maptiler/tileserver-gl/issues/461

Related Vulnerabilities

CVE-2020-7611 Vulnerability in maven package io.micronaut:micronaut-http-client

CVE-2023-4043 Vulnerability in maven package org.eclipse.parsson:parsson

CVE-2020-11023 Vulnerability in maven package org.webjars:jquery

CVE-2021-28918 Vulnerability in npm package netmask

CVE-2021-43308 Vulnerability in npm package markdown-link-extractor

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Exploit Third Party Advisory VDB Entry