CVE-2024-23818

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.23.3 and 2.24.1

Description A stored cross-site scripting (XSS) issue exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog. This payload will execute in the context of another user's browser when viewed in the WMS GetMap OpenLayers Output Format. Access to the WMS OpenLayers Format is available to all users by default, although data and service security may limit users' ability to trigger the XSS.

Recommendations For versions prior to 2.23.3, update to version 2.23.3 or later. For versions prior to 2.24.1, update to version 2.24.1 or later. As a temporary workaround, consider restricting access to the WMS OpenLayers Format to minimize the risk of exploitation.