CVE-2024-23643

CVSS 3.1 Score 4.8 of 10 (medium)

Details

Published Mar 20, 2024
Updated: Dec 17, 2024
CWE ID 79

Summary

CVE-2024-23643 is a stored cross-site scripting (XSS) vulnerability affecting versions prior to 2.23.2 and 2.24.1 of GeoServer, an open-source Java-based geospatial software server. This issue allows an authenticated administrator with workspace-level privileges to inject a JavaScript payload into the GeoServer catalog, which will be executed in another administrator's browser when they view the GWC Seed Form. Access to this form is limited to full administrators by default, and granting non-administrators access is not recommended. Versions 2.23.2 and 2.24.1 have been released with the necessary fixes to address this vulnerability.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share