Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Server-side Request Forgery (SSRF)
Vulnerability Description
This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Vulnerability Type
N/A
Vulnerability Title
osm-static-maps 代码问题漏洞
Vulnerability Description
osm-static-maps是个人开发者的一个类似于谷歌静态地图的 Npm 库。 osm-static-maps 所有版本存在代码问题漏洞,该漏洞提供给程序包的用户输入将直接传递到模板,而不会转义。攻击者可利用该漏洞注入任意HTML/JS代码。 它会在页面上以HTML格式输出,这为XSS提供了机会,也可以在服务器(操纵up)上呈现,这也为SSRF和本地文件读取提供了机会。
CVSS Information
N/A
Vulnerability Type
N/A