QwikSec

Security Database

CVE

CWE

Training

CVE-2024-23818

Published: Mar 20, 2024

Modified: Aug 1, 2024

PUBLISHED

CVSS v3.1

4.8

MEDIUM

Description

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.1 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another user's browser when viewed in the WMS GetMap OpenLayers Output Format. Access to the WMS OpenLayers Format is available to all users by default although data and service security may limit users' ability to trigger the XSS. Versions 2.23.3 and 2.24.1 contain a patch for this issue.

Vendor	Product	Versions
geoserver	geoserver	affected `< 2.23.3` affected `= 2.24.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/geoserver/geoserver/security/advisories/GHSA-fcpm-hchj-mh72

x_refsource_CONFIRM

https://github.com/geoserver/geoserver/pull/7174

x_refsource_MISC

https://github.com/geoserver/geoserver/commit/4557a832eed19ec18b9753cb97e8aa85269741d2

x_refsource_MISC

https://github.com/geoserver/geoserver/commit/a26c32a469ee4c599236380452ffb4260361bd6f

x_refsource_MISC

https://osgeo-org.atlassian.net/browse/GEOS-11153

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.