Cross-site scripting in geoserver - CVE-2024-23821

 

Cross-site scripting in geoserver - CVE-2024-23821

Published: March 19, 2024 / Updated: May 5, 2026


Vulnerability identifier: #VU129753
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-23821
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: geoserver
Affected software:
geoserver

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in another user's browser.

The vulnerability exists due to cross-site scripting in the GWC Demos Page when rendering catalog data from the GeoServer catalog. A remote privileged user can store a JavaScript payload in the catalog to execute arbitrary script in another user's browser.

User interaction is required to view the GWC Demos Page, and access to that page is available to all users although data security may limit users' ability to trigger the issue.


How to mitigate CVE-2024-23821

Install security update from vendor's website.

Sources