4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-23642

GHSA ID

GHSA-fg9v-56hw-g525

EPSS Score

0.52442%

CWE

CWE-79

Published

3/20/2024

Updated

3/20/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-23642

CVE-2024-23642: GeoServer's Simple SVG Renderer vulnerable to Stored Cross-Site Scripting (XSS)

Summary

A stored cross-site scripting (XSS) vulnerability exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another user's browser when viewed in the WMS GetMap SVG Output Format when the Simple SVG renderer is enabled. Access to the WMS SVG Format is available to all users by default although data and service security may limit users' ability to trigger the XSS.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

1 .Perform any action within the application that the user can perform. 2. View any information that the user is able to view. 3. Modify any information that the user is able to modify. 4. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

References

https://osgeo-org.atlassian.net/browse/GEOS-11152 https://github.com/geoserver/geoserver/pull/7173

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-23642

GHSA ID

GHSA-fg9v-56hw-g525

EPSS Score

0.52442%

CWE

CWE-79

Published

3/20/2024

Updated

3/20/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.geoserver:gs-wms	maven	< 2.23.4	2.23.4
org.geoserver:gs-wms	maven	>= 2.24.0, < 2.24.1	2.24.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unescaped user-controlled input being written into SVG elements. The commit diff shows the addition of XML escaping for 'groupId' and 'styleName' using escapeXml10, which were previously written raw into <g> element attributes. These parameters come from workspace-level administrator-controlled catalog entries (layer groups and style names). The test case added in SVGMapProducerTest.java specifically verifies proper escaping of special characters in these fields, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xists t**t *n**l*s *n *ut**nti**t** **ministr*tor wit* worksp***-l*v*l privil***s to stor* * J*v*S*ript p*ylo** in t** **oS*rv*r **t*lo* t**t will *x**ut* in t** *ont*xt o* *not**r us*r's

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** us*r-*ontroll** input **in* writt*n into SV* *l*m*nts. T** *ommit *i** s*ows t** ***ition o* XML *s**pin* *or '*roupI*' *n* 'styl*N*m*' usin* `*s**p*Xml**`, w*i** w*r* pr*viously writt*n r*w into <*> *l*m*nt *tt

4.8

Basic Information

Concerned about an active attack path?

CVE-2024-23642: GeoServer's Simple SVG Renderer vulnerable to Stored Cross-Site Scripting (XSS)

Summary

Details

PoC

Impact

References

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI