CVE-2024-23640

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.23.3 and 2.24.0

Description A stored cross-site scripting (XSS) issue exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in uploaded style/legend resources or in a specially crafted datastore file. This payload will execute in the context of another user's browser when viewed in the Style Publisher. Access to the Style Publisher is available to all users, although data security may limit users' ability to trigger the XSS. If an attacker can control a script that is executed in the victim's browser, they can typically fully compromise that user, performing any action within the application that the user can perform, viewing any information that the user is able to view, modifying any information that the user is able to modify, and initiating interactions with other application users.

Recommendations For GeoServer versions prior to 2.23.3, update to version 2.23.3 or later to resolve the issue. For GeoServer versions prior to 2.24.0, update to version 2.24.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Style Publisher to minimize the risk of exploitation.