6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-1000043

GHSA ID

GHSA-q69p-5h74-w36f

EPSS Score

0.38017%

CWE

CWE-79

Published

11/9/2018

Updated

3/27/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-1000043

CVE-2017-1000043:
Content Injection via TileJSON Name in mapbox.js

Versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 of mapbox.js are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios.

If L.mapbox.map or L.mapbox.shareControl are used in a manner that gives users control of the TileJSON content, it is possible to inject script content into the name value of the TileJSON. After clicking on the share control, the malicious code will execute in the context of the page using Mapbox.js.

Recommendation

Version 1.x: Update to version 1.6.6 or later. Version 2.x: Update to version 2.2.4 or later.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-1000043

GHSA ID

GHSA-q69p-5h74-w36f

EPSS Score

0.38017%

CWE

CWE-79

Published

11/9/2018

Updated

3/27/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mapbox.js	npm	< 1.6.6	1.6.6
mapbox.js	npm	>= 2.0.0, < 2.2.4	2.2.4
mapbox-rails	rubygems	>= 1.0.0, < 1.6.6	1.6.6
mapbox-rails	rubygems	>= 2.0.0, < 2.2.4	2.2.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests in share control UI generation where TileJSON 'name' values are inserted into DOM without proper escaping. The primary vulnerable functions are in the ShareControl prototype responsible for rendering UI elements. L.mapbox.map is included as the entry point that initiates the vulnerable chain when using untrusted input. These functions would appear in stack traces when processing malicious TileJSON data and generating share controls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions *.x prior to *.*.* *n* *.x prior to *.*.* o* `m*p*ox.js` *r* vuln*r**l* to * *ross-sit*-s*riptin* *tt**k in **rt*in un*ommon us*** s**n*rios. I* `L.m*p*ox.m*p` or `L.m*p*ox.s**r**ontrol` *r* us** in * m*nn*r t**t *iv*s us*rs *ontrol o* t**

Reasoning

T** vuln*r**ility m*ni**sts in s**r* *ontrol UI **n*r*tion w**r* Til*JSON 'n*m*' v*lu*s *r* ins*rt** into *OM wit*out prop*r *s**pin*. T** prim*ry vuln*r**l* *un*tions *r* in t** S**r**ontrol prototyp* r*sponsi*l* *or r*n**rin* UI *l*m*nts. L.m*p*ox.

6.1

Basic Information

Concerned about an active attack path?

CVE-2017-1000043: Content Injection via TileJSON Name in mapbox.js

Recommendation

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2017-1000043:
Content Injection via TileJSON Name in mapbox.js

Vulnerability Intelligence
Miggo AI