CVE-2024-23640

low-risk
Published 2024-03-20

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in uploaded style/legend resources or in a specially crafted datastore file that will execute in the context of another user's browser when viewed in the Style Publisher. Access to the Style Publisher is available to all users although data security may limit users' ability to trigger the XSS. Versions 2.23.3 and 2.24.0 contain a fix for this issue.

Do I need to act?

-
0.42% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Geoserver

References (10)

Issue Tracking https://github.com/geoserver/geoserver/pull/7162
Issue Tracking https://github.com/geoserver/geoserver/pull/7181
Vendor Advisory https://github.com/geoserver/geoserver/security/advisories/GHSA-9rfr-pf2x-g4xf
Issue Tracking https://osgeo-org.atlassian.net/browse/GEOS-11149
Issue Tracking https://osgeo-org.atlassian.net/browse/GEOS-11155
Issue Tracking https://github.com/geoserver/geoserver/pull/7162
Issue Tracking https://github.com/geoserver/geoserver/pull/7181
Vendor Advisory https://github.com/geoserver/geoserver/security/advisories/GHSA-9rfr-pf2x-g4xf
Issue Tracking https://osgeo-org.atlassian.net/browse/GEOS-11149
Issue Tracking https://osgeo-org.atlassian.net/browse/GEOS-11155
26
/ 100
low-risk
Severity 19/34 · Moderate
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal