Cross-site scripting in geoserver - CVE-2024-23642
Published: March 19, 2024 / Updated: May 5, 2026
geoserver
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in another user's browser.
The vulnerability exists due to cross-site scripting in the Simple SVG renderer when rendering the WMS GetMap SVG output format. A remote privileged user can store a JavaScript payload in the GeoServer catalog to execute arbitrary JavaScript in another user's browser.
User interaction is required to view the crafted SVG output, and the issue is exposed only when the Simple SVG renderer is enabled.