Cross-site scripting in geoserver - CVE-2023-51445

 

Cross-site scripting in geoserver - CVE-2023-51445

Published: March 19, 2024 / Updated: May 5, 2026


Vulnerability identifier: #VU129760
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-51445
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: geoserver
Affected software:
geoserver

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in another administrator's browser.

The vulnerability exists due to cross-site scripting in the REST Resources API when viewing uploaded style or legend resources. A remote privileged user can upload a specially crafted resource file to execute arbitrary JavaScript in another administrator's browser.

User interaction is required, and the payload executes when another administrator views the stored file through the API.


How to mitigate CVE-2023-51445

Install security update from vendor's website.

Sources