Jmckenna

**Name of the Vulnerable Software and Affected Versions** MapServer versions 6.0 through 8.6.1 **Description** A reflected Cross-Site Scripting (XSS) issue in the WMS server allows an unauthenticated attacker to inject arbitrary HTML or JavaScript into a user's browser via a crafted WMS URL. This occurs during WMS 1.3.0 requests when the `FORMAT` parameter is set to 'application/openlayers' and the `SRS` parameter is not properly sanitized. **Recommendations** Update to version 8.6.2. Restrict the use of the `SRS` parameter in WMS 1.3.0 requests as a temporary mitigation.