QwikSec

Security Database

CVE

CWE

Training

CVE-2024-23640

Published: Mar 20, 2024

Modified: Aug 1, 2024

PUBLISHED

CVSS v3.1

4.8

MEDIUM

Description

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in uploaded style/legend resources or in a specially crafted datastore file that will execute in the context of another user's browser when viewed in the Style Publisher. Access to the Style Publisher is available to all users although data security may limit users' ability to trigger the XSS. Versions 2.23.3 and 2.24.0 contain a fix for this issue.

Vendor	Product	Versions
geoserver	geoserver	affected `< 2.23.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/geoserver/geoserver/security/advisories/GHSA-9rfr-pf2x-g4xf

x_refsource_CONFIRM

https://github.com/geoserver/geoserver/pull/7162

x_refsource_MISC

https://github.com/geoserver/geoserver/pull/7181

x_refsource_MISC

https://osgeo-org.atlassian.net/browse/GEOS-11149

x_refsource_MISC

https://osgeo-org.atlassian.net/browse/GEOS-11155

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.