[MapProxy] MapProxy 1.11.1 release with XSS fix in demo service
olt at omniscale.de
Tue Aug 6 01:55:38 PDT 2019
a security audit by Janek Vind found a Cross Site Scripting (XSS) issue in the demo service. This is related to a previous XSS fix which did not cover all cases.
A targeted, non-persistent Cross Site Scripting attack could use this issue for information disclosure. This is _not_ a disclosure of any information on the server (like files, etc.).
Refer to https://en.wikipedia.org/wiki/Cross-site_scripting
You are advised to disable the demo service or to update MapProxy to 1.11.1, if you are unsure whether this is a risk in your specific installation.
The upcoming 1.12.0 release will also contain this fix.
For reference: https://github.com/mapproxy/mapproxy/issues/322
Oliver Tonnhofer | Omniscale GmbH & Co KG | https://omniscale.com
OpenStreetMap WMS and tile services | https://maps.omniscale.com
More information about the MapProxy