CVE-2020-7749
HIGHosm-static-maps < 3.9.0 - Cross-Site Scripting and Server-Side Request Forgery via Template Injection
Title source: llmDescription
This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-OSMSTATICMAPS-609637
Broken Link x_refsource_misc
https://github.com/jperelli/osm-static-maps/blob/master/src/template.html%23L142
Patch, Third Party Advisory x_refsource_misc
https://github.com/jperelli/osm-static-maps/pull/24
Scores
CVSS v3
7.6
EPSS
0.0158
EPSS Percentile
72.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Details
CWE
CWE-74
CWE-79
Status
published
Products (2)
npm/osm-static-maps
0 - 3.9.0npm
osm-static-maps_project/osm-static-maps
Published
Oct 20, 2020
Tracked Since
Feb 18, 2026