CVE-2024-23643

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-23643

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23643.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-23643

Aliases

GHSA-56r3-f536-5gf7

Published

2024-03-20T17:50:48.344Z

Modified

2025-12-10T10:10:05.108347Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

GeoServer Stored Cross-Site Scripting (XSS) vulnerability in GWC Seed Form

Details

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.2 and 2.24.1 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another administrator’s browser when viewed in the GWC Seed Form. Access to the GWC Seed Form is limited to full administrators by default and granting non-administrators access to this endpoint is not recommended. Versions 2.23.2 and 2.24.1 contain a fix for this issue.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/23xxx/CVE-2024-23643.json"
}

References

Affected packages

Git / github.com/geoserver/geoserver

Affected ranges

Type: GIT
Repo: https://github.com/geoserver/geoserver
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c7e573d83a6f5982e08da4c9fc32a765bcc24a0c

Git / github.com/geowebcache/geowebcache

Affected ranges

Type: GIT
Repo: https://github.com/geowebcache/geowebcache
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9d010e09c784690ada8af43f594461a2553a62f0

Affected versions

0.*

0.7.2

0.8.3

1.*

1.0-RC0

1.0-RC1

1.0-alpha0

1.0-beta

1.0-beta0

1.0-beta1

1.0-beta2

1.0-beta3

1.10-M0

1.10-beta

1.11-beta

1.12-beta

1.13-beta

1.14-RC

1.15-M0

1.2.4

1.2.5_GS-2.1-RC3

1.24-RC

1.24.0

1.3-RC1

1.6.0-RC1

1.6.0-beta

1.7-beta

1.8-M0

1.8-beta

1.9-M0

1.9-beta2

gs-2.*

gs-2.1-RC1

pre-1.*

pre-1.2.3

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0",
        "target": {
            "function": "makeModifiableParameters",
            "file": "geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java"
        },
        "signature_type": "Function",
        "id": "CVE-2024-23643-12d241c6",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 1386.0,
            "function_hash": "42998344771108785665986569415757111072"
        }
    },
    {
        "source": "https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0",
        "target": {
            "function": "makeBboxHints",
            "file": "geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java"
        },
        "signature_type": "Function",
        "id": "CVE-2024-23643-2852d209",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 243.0,
            "function_hash": "316786741444268532952782687935776717723"
        }
    },
    {
        "source": "https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0",
        "target": {
            "function": "makePullDown",
            "file": "geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java"
        },
        "signature_type": "Function",
        "id": "CVE-2024-23643-3ba2137a",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 586.0,
            "function_hash": "65169380951516828534676053295034578259"
        }
    },
    {
        "source": "https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0",
        "target": {
            "function": "makeTextInput",
            "file": "geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java"
        },
        "signature_type": "Function",
        "id": "CVE-2024-23643-60cb1afa",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 194.0,
            "function_hash": "302559899331592193270305573697388929999"
        }
    },
    {
        "source": "https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0",
        "target": {
            "function": "makeFormHeader",
            "file": "geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java"
        },
        "signature_type": "Function",
        "id": "CVE-2024-23643-8bed70d6",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 274.0,
            "function_hash": "45387006254107262882320830035351828090"
        }
    },
    {
        "source": "https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0",
        "target": {
            "file": "geowebcache/rest/src/test/java/org/geowebcache/rest/service/FormServiceTest.java"
        },
        "signature_type": "Line",
        "id": "CVE-2024-23643-8ed7b879",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "93979938718773751060936394031467836123",
                "310643145412387731512992554030513066875",
                "211622064264291711784667007913932714635",
                "3791499440987366965171917002893182911",
                "129273459394609860575170234574855818408",
                "102028833702634520780867230071373060147",
                "278971589014696278401399321608422167422",
                "94744169214263536521791709816318852949",
                "279641879984668709823898754400064265155",
                "61890675645805344781400538153118584729",
                "153254155027776975195708872847140959104",
                "315842623944455755548215884103063719902",
                "257177593006535901182318598988908191908",
                "326073728049471167829097673959637293250",
                "177541466498260885031876481734671628328",
                "295346807650403948430893428070286675869",
                "61841128030416593581331169336508422141",
                "137596443800521891141136305853140789399"
            ]
        }
    },
    {
        "source": "https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0",
        "target": {
            "file": "geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java"
        },
        "signature_type": "Line",
        "id": "CVE-2024-23643-92be4c03",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "269938573382186786951016945646636246671",
                "265157265714536407328987322436651653760",
                "277124571602723453859954087539980357030",
                "199228694861788965023119825879279740419",
                "294335359778260425082913076128742639041",
                "255061376914424309403511520046740238437",
                "245472061167438038999889828057969881809",
                "119147359685287957582064510071479528855",
                "212973156504232613895268193721754871687",
                "292551519160550688457635240996802329800",
                "34047678213393139640589876124107069892",
                "19104151004287412141008291466805544338",
                "81556767105064515262307260254793860395",
                "114600032886586036957693047762054360255",
                "164637651468956879670824412536046898594",
                "231755128488066808872590087434504710828",
                "97526088373585645892649885622850166908",
                "267084000257240915436271883425561033950",
                "113184227472294577057541655265341795059",
                "62546637589110175022093683413295177166",
                "58877379529314794790292458270248185003",
                "96251495931896907204535869107031769345",
                "261080371609487726851160166146618131874",
                "279788561061064905795244956968510663172",
                "161026355040115903810951196907892759885",
                "42915927053664266494151270736188170024",
                "255773017474521577662209555754885647151",
                "94355730301171613717502378379459203398",
                "177795729496843079293484624211026267991",
                "19189518630316713095603160780210717012",
                "238429055871382882942496240298023576543",
                "250419685088077638136836291140475006737",
                "311782665316722392260689639279422680506",
                "217631537322298366141500485033193773843",
                "252856365276766477979198724991897976692",
                "193619600158116700752819370904336000039",
                "251716787505268595139764862125111859106",
                "263588676859985231802383565519346212680",
                "85784769200109169914635501802696909498",
                "111028892646166377395460474026042700875",
                "31569296075184229509639656001366901454",
                "155330535343354223919340355691029035426",
                "137234196611080129275850903106117546034",
                "77434446034298803093761902602099364674",
                "134401521186597077134759307768106069362",
                "316302094059364777668509981861941056509",
                "184356296550735268069795468146399327261",
                "111709960011425644171016798913698465476",
                "263123117828302512966654234846463708057",
                "318524077112576449197388120434747378508",
                "95956453803994533677495248312747330977",
                "170834449323416614286764610041388488922",
                "306818665918350291639013515904639134777",
                "325733854384794610883950514630004311445",
                "93366368095295527374364222818787095563",
                "237779475706490605467030283887888970633",
                "296730697915689974397369286546779267849",
                "107764859773443520819145195472158183864",
                "28257360267700577812784905773409174824",
                "189781596590032975089387766255021029530",
                "248404809515828198664205250328773325764",
                "48423563783883417915395383439446787449",
                "30204404380568493356799265198237275345",
                "258835257837729165025559866901245522429"
            ]
        }
    },
    {
        "source": "https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0",
        "target": {
            "function": "makeKillallThreadsForm",
            "file": "geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java"
        },
        "signature_type": "Function",
        "id": "CVE-2024-23643-d96b8ac1",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 1835.0,
            "function_hash": "75079430735591282713494245771847391258"
        }
    },
    {
        "source": "https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0",
        "target": {
            "function": "makeTaskList",
            "file": "geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java"
        },
        "signature_type": "Function",
        "id": "CVE-2024-23643-d972dc41",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 3122.0,
            "function_hash": "28294691750523531300729948266107579800"
        }
    },
    {
        "source": "https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0",
        "target": {
            "function": "makeThreadKillForm",
            "file": "geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java"
        },
        "signature_type": "Function",
        "id": "CVE-2024-23643-f264362b",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 424.0,
            "function_hash": "223811769229096538937125139316850142466"
        }
    }
]