4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-23821

GHSA ID

GHSA-88wc-fcj9-q3r9

EPSS Score

0.56103%

CWE

CWE-79

Published

3/20/2024

Updated

3/20/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-23821

CVE-2024-23821: GeoServer's GWC Demos Page vulnerable to Stored Cross-Site Scripting (XSS)

Summary

A stored cross-site scripting (XSS) vulnerability exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another user's browser when viewed in the GWC Demos Page. Access to the GWC Demos Page is available to all users although data security may limit users' ability to trigger the XSS.

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

1 .Perform any action within the application that the user can perform. 2. View any information that the user is able to view. 3. Modify any information that the user is able to modify. 4. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

References

https://github.com/GeoWebCache/geowebcache/issues/1171 https://github.com/GeoWebCache/geowebcache/pull/1173

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-23821

GHSA ID

GHSA-88wc-fcj9-q3r9

EPSS Score

0.56103%

CWE

CWE-79

Published

3/20/2024

Updated

3/20/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.geoserver:gs-gwc	maven	>= 2.24.0, < 2.24.1	2.24.1
org.geoserver:gs-gwc	maven	< 2.23.4	2.23.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient output encoding in the GWC Demos Page rendering logic. The pull request #1173 specifically modifies Demo.java to replace StringEscapeUtils.escapeEcmaScript with OWASP Encoder's forHtmlContent and forHtmlAttribute methods, indicating this was the vulnerable area. The Demo class handles the demo page generation where user-controlled input (layer names/parameters) was rendered without proper HTML context-aware escaping, making it susceptible to stored XSS attacks when malicious payloads are injected into the catalog.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xists t**t *n**l*s *n *ut**nti**t** **ministr*tor wit* worksp***-l*v*l privil***s to stor* * J*v*S*ript p*ylo** in t** **oS*rv*r **t*lo* t**t will *x**ut* in t** *ont*xt o* *not**r us*r's

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt output *n*o*in* in t** *W* **mos P*** r*n**rin* lo*i*. T** pull r*qu*st #**** sp**i*i**lly mo*i*i*s `**mo.j*v*` to r*pl*** `Strin**s**p*Utils.*s**p***m*S*ript` wit* OW*SP *n*o**r's `*or*tml*ont*nt` *n* `*or*t

4.8

Basic Information

Concerned about an active attack path?

CVE-2024-23821: GeoServer's GWC Demos Page vulnerable to Stored Cross-Site Scripting (XSS)

Summary

Impact

References

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI