CVE-2024-23821

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-23821
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23821.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-23821
Aliases
Published
2024-03-20T18:03:25Z
Modified
2025-11-04T19:32:33Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
GeoServer's GWC Demos Page vulnerable to Stored Cross-Site Scripting (XSS)
Details

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another user's browser when viewed in the GWC Demos Page. Access to the GWC Demos Page is available to all users although data security may limit users' ability to trigger the XSS. Versions 2.23.4 and 2.24.1 contain a patch for this issue.

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/geoserver/geoserver

Affected ranges

Type
GIT
Repo
https://github.com/geoserver/geoserver
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
31f4807730bc3c65ebd6cf2cbda994e178cd3e86
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.23.4"
        }
    ]
}
Type
GIT
Repo
https://github.com/geoserver/geoserver
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
a6665cb505d45b639e62ff178b507914d089a28b
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "= 2.24.0"
        }
    ]
}