CVE-2020-15500
published 2020-07-01CVE-2020-15500: An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the…
PriorityP343medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
12.22%
95.7th percentile
An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tileserver | tileservergl | <= 3.0.0 | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cross-site scripting in TileServer GL
ghsa·2021-05-17
CVE-2020-15500 [MEDIUM] CWE-79 Cross-site scripting in TileServer GL
Cross-site scripting in TileServer GL
An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS.
OSV
Cross-site scripting in TileServer GL
osv·2021-05-17
CVE-2020-15500 [MEDIUM] Cross-site scripting in TileServer GL
Cross-site scripting in TileServer GL
An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS.
No detection rules found.
Exploit-DB
Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS)
exploitdb·2021-04-15
CVE-2020-15500 Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS)
Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS)
---
# Exploit Title: Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS)
# Date: 15/04/2021
# Exploit Author: Akash Chathoth
# Vendor Homepage: http://tileserver.org/
# Software Link: https://github.com/maptiler/tileserver-gl
# Version: versions alert(document.domain)
Nuclei
TileServer GL <=3.0.0 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2020-15500 [MEDIUM] TileServer GL <=3.0.0 - Cross-Site Scripting
TileServer GL \""
- type: status
status:
- 200
# digest: 490a00463044022027f8e16c3b36ab83399c544d74977001cf0e84b6951c616294792113a5bcca08022043e4db41a1e8399ccb46b868ad4e3536dbe4956377ba91779f6c19b2d278d57d:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2020-07-01
Published