CVE-2020-7749
Injection and Cross-site Scripting in osm-static-maps
7.6
HIGH
CVSS 3.1
EPSS 0.48%
描述
This affects all versions of package osm-static-maps under 3.9.0. User input given to the package is passed directly to a template without escaping `({{{ ... }}})`. As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read.
如何修補 CVE-2020-7749
要修補 CVE-2020-7749,請將受影響套件升級到下列已修補版本。
- —升級至 3.9.0 或更新版本
CVE-2020-7749 正在被利用嗎?
低 — EPSS 為 0.5%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 3.9.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L |