CVE-2020-15500

MEDIUM NUCLEI

Tileservergl < 3.0.0 - XSS

Title source: rule

Description

An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS.

Exploits (1)

exploitdb WORKING POC

by Akash Chathoth · textwebappsmultiple

https://www.exploit-db.com/exploits/49771

View Code ZIP pw:eip

Nuclei Templates (1)

TileServer GL <=3.0.0 - Cross-Site Scripting

MEDIUMby Akash.C

References (2)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/162193/Tileserver-gl-3.0.0-Cross-Site-Scripting.html

[Exploit, Third Party Advisory] https://github.com/maptiler/tileserver-gl/issues/461

Scores

CVSS v3 6.1

EPSS 0.1452

EPSS Percentile 94.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

npm/tileserver-gl 0 - 3.1.0npm

tileserver/tileservergl < 3.0.0

Published Jul 01, 2020

Tracked Since Feb 18, 2026