CVE-2020-15500 – tileserver-gl

Package

Manager: npm
Name: tileserver-gl
Vulnerable Version: >=0 <3.1.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.29574 pctl0.96464

Details

Cross-site scripting in TileServer GL An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS.

Metadata

Created: 2021-05-17T21:01:15Z
Modified: 2023-10-02T20:24:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-3fr8-mwpp-8h9p/GHSA-3fr8-mwpp-8h9p.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-3fr8-mwpp-8h9p
Finding: F008
Auto approve: 1