CVE-2020-7749

Name of the Vulnerable Software and Affected Versions osm-static-maps versions prior to 3.9.0

Description The issue arises from user input being passed directly to a template without proper escaping, using {{{ ... }}}. This allows an attacker to inject arbitrary HTML or JavaScript code. Depending on the context, this can lead to Cross-Site Scripting (XSS) if the code is outputted as HTML on the page, or to Server-Side Request Forgery (SSRF) and Local File Read if the code is rendered on the server using puppeteer.

Recommendations For versions prior to 3.9.0, update to version 3.9.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of user input in templates until a patch is available. Restrict access to the puppeteer server to minimize the risk of SSRF and Local File Read exploitation. Avoid using the {{{ ... }}} syntax in templates until the issue is resolved.