Cross-site scripting in geoserver - CVE-2024-23640
Published: March 19, 2024 / Updated: May 5, 2026
geoserver
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in a victim's browser.
The vulnerability exists due to cross-site scripting in the Style Publisher when rendering uploaded style or legend resources or a specially crafted datastore file. A remote privileged user can store a JavaScript payload to execute arbitrary script in a victim's browser.
User interaction is required when another user views the malicious content in the Style Publisher.