.. / CVE-2020-15500

Exploit for TileServer GL <=3.0.0 - Cross-Site Scripting (CVE-2020-15500)

Description:

TileServer GL through 3.0.0 is vulnerable to reflected cross-site scripting via server.js because the content of the key GET parameter is reflected unsanitized in an HTTP response for the application’s main page.

Nuclei Template

View the template here CVE-2020-15500.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2020/CVE-2020-15500.yaml

References:

https://github.com/ARPSyndicate/cvemon
https://github.com/maptiler/tileserver-gl/issues/461
https://github.com/ARPSyndicate/kenzer-templates
https://nvd.nist.gov/vuln/detail/CVE-2020-15500
http://packetstormsecurity.com/files/162193/Tileserver-gl-3.0.0-Cross-Site-Scripting.html

.. / CVE-2020-15500 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for TileServer GL <=3.0.0 - Cross-Site Scripting (CVE-2020-15500)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2020-15500