Description

An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS.

Remediation

References

http://packetstormsecurity.com/files/162193/Tileserver-gl-3.0.0-Cross-Site-Scripting.html

https://github.com/maptiler/tileserver-gl/issues/461

Related Vulnerabilities

CVE-2021-21318 Vulnerability in maven package org.opencastproject:opencast-search-service-impl

CVE-2022-24759 Vulnerability in npm package @chainsafe/libp2p-noise

CVE-2023-47322 Vulnerability in maven package org.silverpeas.core:silverpeas-core-web

CVE-2021-26276 Vulnerability in npm package config-shield

CVE-2021-27290 Vulnerability in npm package ssri

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Exploit Third Party Advisory VDB Entry