A critical vulnerability has been identified in multiple MapTiler products, rated 9.8 on the CVSS scale. This flaw allows an unauthenticated attacker to inject malicious code into a webpage by manipulating a URL, which could then be used to steal user credentials, hijack active sessions, or deface the web application. Due to the severity and ease of exploitation, this vulnerability poses a significant and immediate risk to affected systems.

The vulnerability is a reflected Cross-Site Scripting (XSS) flaw. The application fails to properly sanitize or encode user input supplied via the layer GET parameter. When an invalid value is provided to this parameter, the server reflects the input directly within an error message in the HTML response. An attacker can exploit this by crafting a URL with a malicious JavaScript payload in the layer parameter and then tricking a user into clicking it. The user's browser will execute the script in the context of their session with the MapTiler application, allowing the attacker to bypass browser security controls.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant risk to the organization. Successful exploitation could lead to severe consequences, including the compromise of user accounts, theft of sensitive session data, and unauthorized actions performed on behalf of legitimate users. This could result in data breaches, reputational damage, loss of customer trust, and potential regulatory fines. Given that the vulnerability can be triggered by an unauthenticated attacker, any public-facing instance of the affected software is at immediate risk.

Immediate Action: The primary remediation is to update all affected MapTiler products to the latest patched version immediately. Organizations should consult the official MapTiler security advisory to identify the specific products, affected versions, and corresponding patches. After patching, it is crucial to monitor for any signs of exploitation attempts by reviewing web server and application access logs for unusual requests targeting the "layer" parameter.

Proactive Monitoring: Security teams should configure monitoring and alerting to detect exploitation attempts. Specifically, look for web access logs containing suspicious or script-like strings within the layer GET parameter (e.g., requests with <script>, onerror, or onload tags). Monitor for unusual outbound connections from client browsers that have accessed the application, which could indicate data exfiltration from a successful XSS attack.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block common XSS attack patterns in GET parameters. These rules should filter for malicious HTML and JavaScript tags in the layer parameter. This should be considered a temporary measure until the software can be patched.

Public Exploit Available: false

Due to the critical CVSS score of 9.8 and the ease of exploitation, this vulnerability presents a severe and immediate threat to the organization. We strongly recommend that all affected MapTiler instances be patched immediately by applying the vendor-supplied updates. While this CVE is not yet on the CISA KEV list, its high severity means it is a prime candidate for future inclusion. Prioritize patching public-facing systems and monitor logs for any signs of attempted exploitation.