CVE-2024-23643
CVSS 3.1 Score 4.8 of 10 (medium)
Details
Summary
CVE-2024-23643 is a stored cross-site scripting (XSS) vulnerability affecting versions prior to 2.23.2 and 2.24.1 of GeoServer, an open-source Java-based geospatial software server. This issue allows an authenticated administrator with workspace-level privileges to inject a JavaScript payload into the GeoServer catalog, which will be executed in another administrator's browser when they view the GWC Seed Form. Access to this form is limited to full administrators by default, and granting non-administrators access is not recommended. Versions 2.23.2 and 2.24.1 have been released with the necessary fixes to address this vulnerability.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- GeoServer
Affected Vendors
- GeoServer