Cross-site scripting in geoserver - CVE-2024-23818
Published: March 19, 2024 / Updated: May 5, 2026
geoserver
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in another user's browser.
The vulnerability exists due to cross-site scripting in the WMS GetMap OpenLayers output format when rendering catalog content containing a stored JavaScript payload. A remote privileged user can store a crafted JavaScript payload in the GeoServer catalog to execute arbitrary script in another user's browser.
User interaction is required to view the WMS GetMap OpenLayers output format.