Snyk Security Database

terriajs-server is a basic NodeJS Express server that serves up a (not included) static TerriaJS-based site (such as National Map) with a few additional useful services.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to improper validation in the proxyableDomains configuration. An attacker can bypass domain restrictions by registering a domain with a name that ends with an allowed domain and proxy unauthorized content through the server.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to the improper escaping of user input in website and author fields before being inserted into an HTML attribute. An attacker can execute arbitrary JavaScript in the context of users viewing affected comments by submitting specially crafted input containing single quotes and event handlers. This can lead to the compromise of user sessions or theft of sensitive information. The same issue exists in the user-facing comment edit endpoint and the moderation edit endpoint.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the SdkProxyRoutePlanner function. An attacker can cause significant resource consumption and degrade application performance by providing specially crafted input to the nonProxyHosts argument.