CVE-2020-7749

HIGH Year: 2020
CVSS v3 Score
7.6
High
CVSS v2 Score
6.5
Medium
Weakness Type
CWE-74
View all →

Vulnerability Description

This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read.

Related Vulnerabilities

CVE-2023-4818

HIGH
CVSS:7.6(High)

PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used. The attacker must have physical USB ...

CWE-742023

CVE-2025-1691

HIGH
CVSS:7.6(High)

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated m...

CWE-742025

CVE-2010-3668

HIGH
CVSS:7.5(High)

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Header Injection in the secure download feature jumpurl.

CWE-742010

CVE-2015-3200

HIGH
CVSS:7.5(High)

mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NU...

CWE-742015

CVE-2015-8258

HIGH
CVSS:7.5(High)

AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability."

CWE-742015