Cross-site scripting in geoserver - CVE-2024-23643
Published: March 19, 2024 / Updated: May 5, 2026
geoserver
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in another administrator's browser.
The vulnerability exists due to cross-site scripting in the GWC Seed Form when rendering catalog data stored in the GeoServer catalog. A remote privileged user can store a JavaScript payload that is executed when another administrator views the form to execute arbitrary script in another administrator's browser.
User interaction is required, and the payload executes in the context of the victim administrator's browser.