CVE-2024-23642

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.23.4 and 2.24.1

Description A stored cross-site scripting (XSS) issue exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog. This payload will execute in the context of another user's browser when viewed in the WMS GetMap SVG Output Format with the Simple SVG renderer enabled. Access to the WMS SVG Format is available to all users by default, although data and service security may limit users' ability to trigger the XSS. If an attacker can control a script that is executed in the victim's browser, they can typically fully compromise that user, performing any action within the application that the user can perform, viewing any information that the user is able to view, modifying any information that the user is able to modify, and initiating interactions with other application users.

Recommendations For versions prior to 2.23.4, update to version 2.23.4 or later. For versions prior to 2.24.1, update to version 2.24.1 or later. As a temporary workaround, consider disabling the Simple SVG renderer in the WMS GetMap SVG Output Format until a patch is available. Restrict access to the WMS SVG Format to minimize the risk of exploitation.