CVE-2020-7749: Server-Side Request Forgery (SSRF)

October 20, 2020 (updated July 21, 2021)

A Server-Side Request Forgery (SSRF) issue exists in the osm-static-maps package. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code depending on the context. The contents will be output as HTML on the page which gives opportunity for XSS, or possibly, rendered on the server (puppeteer) which may allow for SSRF and Local File Read vulnerabilities to be exploited.

References

nvd.nist.gov/vuln/detail/CVE-2020-7749

Detect and mitigate CVE-2020-7749 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →