CVE-2025-44136
📋 TL;DR
CVE-2025-44136 is a reflected cross-site scripting vulnerability in MapTiler Tileserver-php where the 'layer' GET parameter is not properly sanitized before being reflected in error messages. This allows unauthenticated attackers to execute arbitrary JavaScript in victims' browsers when they visit specially crafted URLs. All users running the vulnerable version are affected.
💻 Affected Systems
- MapTiler Tileserver-php
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on victim systems.
Likely Case
Session hijacking, credential theft, defacement of the application interface, or redirection to phishing sites.
If Mitigated
Limited impact if proper Content Security Policy headers are implemented and cookies are secured with HttpOnly flags.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but is trivial to weaponize in phishing campaigns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available or implementing workarounds.
🔧 Temporary Workarounds
Input Sanitization
allAdd input validation and output encoding for the 'layer' parameter in error handling code.
Modify error.php or similar files to htmlspecialchars($layer, ENT_QUOTES, 'UTF-8') before output
Content Security Policy
allImplement strict CSP headers to prevent execution of inline scripts.
Add header: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads in GET parameters
- Disable detailed error messages in production environments
🔍 How to Verify
Check if Vulnerable:
Test by accessing URL with XSS payload in layer parameter: http://target/?layer=<script>alert(1)</script>Check Version:
Check composer.json or version file in installation directoryVerify Fix Applied:
Verify that script tags are properly encoded in error messages and don't execute📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests with script tags or JavaScript in layer parameter
- Multiple error responses with suspicious parameter values
Network Indicators:
- HTTP requests containing <script> tags in query parameters
- Outbound connections to suspicious domains following error page visits
SIEM Query:
source="web_logs" AND uri_query="*<script>*" AND status="200" OR status="500"