Description
An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application’s main page, causing reflected XSS.
Recommendation
Update the tileserver-gl package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.0.0
- Patched version(s): 3.1.0
References
Related Issues
- Prototype Pollution in jquery-deparam - CVE-2021-20087
- files.photo.gallery command injection - CVE-2024-53615
- Potential XSS vulnerability in jQuery - CVE-2020-11023
- mapshaper Path Traversal vulnerability - CVE-2024-1163
- Tags:
- npm
- tileserver-gl
Anything's wrong? Let us know Last updated on October 02, 2023