CVE-2024-23821

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.23.4 and 2.24.1

Description A stored cross-site scripting (XSS) vulnerability exists in GeoServer that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog. This payload will execute in the context of another user's browser when viewed in the GWC Demos Page. Access to the GWC Demos Page is available to all users, although data security may limit users' ability to trigger the XSS. If an attacker can control a script that is executed in the victim's browser, they can typically fully compromise that user, performing any action within the application that the user can perform, viewing any information that the user is able to view, modifying any information that the user is able to modify, and initiating interactions with other application users.

Recommendations For versions prior to 2.23.4, update to version 2.23.4 or later. For versions prior to 2.24.1, update to version 2.24.1 or later. As a temporary workaround, consider restricting access to the GWC Demos Page to minimize the risk of exploitation.