CVE-2024-23821: GeoServer's GWC Demos Page vulnerable to Stored Cross-Site Scripting (XSS)

March 20, 2024

A stored cross-site scripting (XSS) vulnerability exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another user’s browser when viewed in the GWC Demos Page. Access to the GWC Demos Page is available to all users although data security may limit users’ ability to trigger the XSS.

References

github.com/GeoWebCache/geowebcache/issues/1171
github.com/GeoWebCache/geowebcache/pull/1173
github.com/advisories/GHSA-88wc-fcj9-q3r9
github.com/geoserver/geoserver
github.com/geoserver/geoserver/security/advisories/GHSA-88wc-fcj9-q3r9
nvd.nist.gov/vuln/detail/CVE-2024-23821

Code Behaviors & Features

Detect and mitigate CVE-2024-23821 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →