Cross-site scripting in geoserver - CVE-2024-23818

 

Cross-site scripting in geoserver - CVE-2024-23818

Published: March 19, 2024 / Updated: May 5, 2026


Vulnerability identifier: #VU129755
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-23818
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: geoserver
Affected software:
geoserver

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in another user's browser.

The vulnerability exists due to cross-site scripting in the WMS GetMap OpenLayers output format when rendering catalog content containing a stored JavaScript payload. A remote privileged user can store a crafted JavaScript payload in the GeoServer catalog to execute arbitrary script in another user's browser.

User interaction is required to view the WMS GetMap OpenLayers output format.


How to mitigate CVE-2024-23818

Install security update from vendor's website.

Sources