CVE-2017-1000426
Description
MapProxy ≤1.10.3 has a stored XSS in the demo service via unescaped parameters, enabling session theft.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MapProxy ≤1.10.3 has a stored XSS in the demo service via unescaped parameters, enabling session theft.
Vulnerability
MapProxy version 1.10.3 and older contains a Cross-Site Scripting (XSS) vulnerability in the demo service. The format and srs parameters in WMS/WMTS/TMS demo pages are not escaped before being rendered in HTML and JavaScript contexts. This allows an attacker to inject arbitrary HTML/JavaScript code into the page. [1][4]
Exploitation
An attacker can craft a malicious URL containing injected script code in the format or srs parameter. If a victim visits this crafted URL while the demo service is enabled (default configuration), the injected script executes in the victim's browser within the context of the MapProxy application. No authentication or special privileges are required. The issue is non-persistent (reflected XSS) and relies on social engineering to lure the victim to the link. [4]
Impact
Successful exploitation leads to information disclosure, specifically theft of session cookies from third-party applications running on the same domain as MapProxy. The attacker does not gain access to server-side files or data; the impact is limited to client-side compromise. [4]
Mitigation
The vulnerability is fixed in commit 436c8f4 and 420412a by introducing a custom escape() function that sanitizes input with stricter encoding. [2][3] Users should update MapProxy to a version containing this fix or disable the demo service as a workaround. [4] No CISA KEV listing is known for this CVE.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
MapProxyPyPI | < 1.11.1 | 1.11.1 |
Affected products
1Patches
2436c8f489761demo: extend args escaping for javascript examples to avoid XSS
1 file changed · +12 −1
mapproxy/service/demo.py+12 −1 modified@@ -22,7 +22,6 @@ import pkg_resources import mimetypes from collections import defaultdict -from xml.sax.saxutils import escape from mapproxy.config.config import base_config from mapproxy.compat import PY2 @@ -258,3 +257,15 @@ def authorized_demo(self, environ): return True return False return True + + +def escape(data): + """ + Escape user-provided input data for safe inclusion in HTML _and_ JS to prevent XSS. + """ + data = data.replace('&', '&') + data = data.replace('>', '>') + data = data.replace('<', '<') + data = data.replace("'", '') + data = data.replace('"', '') + return data
420412aad451demo: extend args escaping for javascript examples to avoid XSS
1 file changed · +12 −1
mapproxy/service/demo.py+12 −1 modified@@ -22,7 +22,6 @@ import pkg_resources import mimetypes from collections import defaultdict -from xml.sax.saxutils import escape from mapproxy.config.config import base_config from mapproxy.compat import PY2 @@ -258,3 +257,15 @@ def authorized_demo(self, environ): return True return False return True + + +def escape(data): + """ + Escape user-provided input data for safe inclusion in HTML _and_ JS to prevent XSS. + """ + data = data.replace('&', '&') + data = data.replace('>', '>') + data = data.replace('<', '<') + data = data.replace("'", '') + data = data.replace('"', '') + return data
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-g4rw-82hq-8jprghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-1000426ghsaADVISORY
- github.com/mapproxy/mapproxy/commit/420412aad45171e05752007a0a2350c03c28dfd8ghsaWEB
- github.com/mapproxy/mapproxy/commit/436c8f489761d1b4ee22b2440b53cc96bbc28aeaghsaWEB
- github.com/mapproxy/mapproxy/issues/322ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.