Description

An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS.

Remediation

References

http://packetstormsecurity.com/files/162193/Tileserver-gl-3.0.0-Cross-Site-Scripting.html

https://github.com/maptiler/tileserver-gl/issues/461

Related Vulnerabilities

CVE-2023-27495 Vulnerability in npm package @fastify/csrf-protection

CVE-2023-1370 Vulnerability in maven package net.minidev:json-smart

CVE-2021-34082 Vulnerability in npm package proctree

CVE-2020-12265 Vulnerability in npm package decompress-tar

CVE-2021-46384 Vulnerability in maven package net.mingsoft:ms-mcms

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Exploit Third Party Advisory VDB Entry