Cross-site scripting in geoserver - CVE-2023-51445
Published: March 19, 2024 / Updated: May 5, 2026
geoserver
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in another administrator's browser.
The vulnerability exists due to cross-site scripting in the REST Resources API when viewing uploaded style or legend resources. A remote privileged user can upload a specially crafted resource file to execute arbitrary JavaScript in another administrator's browser.
User interaction is required, and the payload executes when another administrator views the stored file through the API.