CVE-2024-23643

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.23.2 and 2.24.1

Description A stored cross-site scripting (XSS) issue exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog. This payload will execute in the context of another administrator’s browser when viewed in the "GWC Seed Form". Access to the GWC Seed Form is limited to full administrators by default, and granting non-administrators access to this endpoint is not recommended.

Recommendations For versions prior to 2.23.2, update to version 2.23.2 or later. For versions prior to 2.24.1, update to version 2.24.1 or later. As a temporary workaround, consider restricting access to the GWC Seed Form to only full administrators to minimize the risk of exploitation.