CVE-2017-1000042 – mapbox.js

Package

Manager: npm
Name: mapbox.js
Vulnerable Version: >=0 <1.6.5 || >=2.0.0 <2.1.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00164 pctl0.37853

Details

Content Injection via TileJSON attribute in mapbox.js Versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 of `mapbox.js` are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios. If `L.mapbox.map` or `L.mapbox.tileLayer` are used to load untrusted TileJSON content from a non-Mapbox URL, it is possible for a malicious user with control over the TileJSON content to inject script content into the "attribution" value of the TileJSON which will be executed in the context of the page using Mapbox.js. ## Recommendation Version 2.x: Update to version 2.1.7 or later. Version 1.x: Update to version 1.6.5 or later.

Metadata

Created: 2018-11-09T17:47:45Z
Modified: 2023-03-27T22:21:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-qr28-7j6p-9hmv/GHSA-qr28-7j6p-9hmv.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-qr28-7j6p-9hmv
Finding: F008
Auto approve: 1