Lucene search
GoogleOSV:GHSA-PXCF-V868-M492HistoryMay 10, 2021 - 6:43 p.m.
Injection and Cross-site Scripting in osm-static-maps
2021-05-1018:43:45
Google
osv.dev
11
osm-static-maps
version 3.9.0
injection
cross-site scripting
user input
template
escaping
attacker
html
js code
xss
server rendering
puppeteer
ssrf
local file read
EPSS
0.002
Percentile
52.5%
This affects all versions of package osm-static-maps under 3.9.0. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read.
Related
cvelist
cvelist
CVE-2020-7749 Server-side Request Forgery (SSRF)
2020-10-20 10:25:26
prion
prion
Design/Logic Flaw
2020-10-20 11:15:00
nvd
nvd
CVE-2020-7749
2020-10-20 11:15:12
veracode
veracode
Template Injection
2020-10-21 03:21:26
cve
cve
CVE-2020-7749
2020-10-20 11:15:12
github
github
Injection and Cross-site Scripting in osm-static-maps
2021-05-10 18:43:45