Advisories for Npm/Osm-Static-Maps package

2020

Server-Side Request Forgery (SSRF)

A Server-Side Request Forgery (SSRF) issue exists in the osm-static-maps package. User input given to the package is passed directly to a template without escaping ({{{ … }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code depending on the context. The contents will be output as HTML on the page which gives opportunity for XSS, or possibly, rendered on the server (puppeteer) which may allow …