Cross-site scripting in geoserver - CVE-2024-23642

 

Cross-site scripting in geoserver - CVE-2024-23642

Published: March 19, 2024 / Updated: May 5, 2026


Vulnerability identifier: #VU129756
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-23642
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: geoserver
Affected software:
geoserver

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in another user's browser.

The vulnerability exists due to cross-site scripting in the Simple SVG renderer when rendering the WMS GetMap SVG output format. A remote privileged user can store a JavaScript payload in the GeoServer catalog to execute arbitrary JavaScript in another user's browser.

User interaction is required to view the crafted SVG output, and the issue is exposed only when the Simple SVG renderer is enabled.


How to mitigate CVE-2024-23642

Install security update from vendor's website.

Sources