Cross-site scripting in geoserver - CVE-2024-23819
Published: March 19, 2024 / Updated: May 5, 2026
geoserver
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in a victim's browser.
The vulnerability exists due to cross-site scripting in the MapML HTML Page when rendering catalog content. A remote privileged user can store a malicious JavaScript payload in the GeoServer catalog to execute arbitrary script in a victim's browser.
User interaction is required to view the MapML HTML Page, and the MapML extension must be installed.