CVE-2024-23642

Summary

CVE-2024-23642 is a stored cross-site scripting (XSS) vulnerability affecting versions prior to 2.23.4 and 2.24.1 of GeoServer, an open-source Java-based software for managing and sharing geospatial data. This flaw allows authenticated administrators with workspace-level privileges to inject malicious JavaScript code into the GeoServer catalog, which would then be executed in other users' browsers when using the WMS GetMap SVG Output Format with the Simple SVG renderer enabled. The XSS vulnerability poses a risk to all users, although access to the WMS SVG Format is not always readily available to unauthorized individuals due to data and service security measures. Versions 2.23.4 and 2.24.1 of GeoServer have been released to address this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.