Cross-site scripting in geoserver - CVE-2024-23643

 

Cross-site scripting in geoserver - CVE-2024-23643

Published: March 19, 2024 / Updated: May 5, 2026


Vulnerability identifier: #VU129752
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-23643
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: geoserver
Affected software:
geoserver

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in another administrator's browser.

The vulnerability exists due to cross-site scripting in the GWC Seed Form when rendering catalog data stored in the GeoServer catalog. A remote privileged user can store a JavaScript payload that is executed when another administrator views the form to execute arbitrary script in another administrator's browser.

User interaction is required, and the payload executes in the context of the victim administrator's browser.


How to mitigate CVE-2024-23643

Install security update from vendor's website.

Sources