CVE-2024-23819

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.23.4 and 2.24.1

Description A stored cross-site scripting (XSS) issue exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog. This payload will execute in the context of another user's browser when viewed in the "MapML HTML Page". The MapML extension must be installed, and access to the MapML HTML Page is available to all users, although data security may limit users' ability to trigger the XSS. If an attacker can control a script that is executed in the victim's browser, they can typically fully compromise that user, performing any action within the application that the user can perform, viewing any information that the user is able to view, modifying any information that the user is able to modify, and initiating interactions with other application users.

Recommendations For versions prior to 2.23.4, update to version 2.23.4 or later. For versions prior to 2.24.1, update to version 2.24.1 or later. As a temporary workaround, consider disabling the MapML extension until a patch is available. Restrict access to the MapML HTML Page to minimize the risk of exploitation.