Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2020-7749

Good to know:

icon
icon

Date: October 20, 2020

This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read.

Language: JS

Severity Score

Related Resources (5)

https://nvd.nist.gov/vuln/detail/CVE-2020-7749
https://github.com/jperelli/osm-static-maps/blob/master/src/template.html%23L142
https://github.com/jperelli/osm-static-maps/commit/97355d29e08753d1cfe99b1281dbaa06f4e651b0
https://github.com/jperelli/osm-static-maps/pull/24
https://www.mend.io/vulnerability-database/CVE-2020-7749

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

icon

Upgrade Version

Upgrade to version osm-static-maps - 3.9.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): LOW
Availability (A): LOW

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): SINGLE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us