Cross-site scripting in geoserver - CVE-2024-23821
Published: March 19, 2024 / Updated: May 5, 2026
geoserver
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in another user's browser.
The vulnerability exists due to cross-site scripting in the GWC Demos Page when rendering catalog data from the GeoServer catalog. A remote privileged user can store a JavaScript payload in the catalog to execute arbitrary script in another user's browser.
User interaction is required to view the GWC Demos Page, and access to that page is available to all users although data security may limit users' ability to trigger the issue.