{"id":"CVE-2024-23643","summary":"GeoServer Stored Cross-Site Scripting (XSS) vulnerability in GWC Seed Form","details":"GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.2 and 2.24.1 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another administrator’s browser when viewed in the GWC Seed Form. Access to the GWC Seed Form is limited to full administrators by default and granting non-administrators access to this endpoint is not recommended. Versions 2.23.2 and 2.24.1 contain a fix for this issue.","aliases":["GHSA-56r3-f536-5gf7"],"modified":"2026-04-12T05:53:18.080662Z","published":"2024-03-20T17:50:48.344Z","database_specific":{"cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/23xxx/CVE-2024-23643.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/23xxx/CVE-2024-23643.json"},{"type":"ADVISORY","url":"https://github.com/geoserver/geoserver/security/advisories/GHSA-56r3-f536-5gf7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-23643"},{"type":"REPORT","url":"https://github.com/GeoWebCache/geowebcache/issues/1172"},{"type":"FIX","url":"https://github.com/GeoWebCache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0"},{"type":"FIX","url":"https://github.com/GeoWebCache/geowebcache/pull/1174"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/geoserver/geoserver","events":[{"introduced":"0"},{"fixed":"c7e573d83a6f5982e08da4c9fc32a765bcc24a0c"}]}],"versions":["2.11-beta","2.21-M0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23643.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/geowebcache/geowebcache","events":[{"introduced":"0"},{"fixed":"9d010e09c784690ada8af43f594461a2553a62f0"}]}],"versions":["0.7.2","0.8.3","1.0-RC0","1.0-RC1","1.0-alpha0","1.0-beta","1.0-beta0","1.0-beta1","1.0-beta2","1.0-beta3","1.10-M0","1.10-beta","1.11-beta","1.12-beta","1.13-beta","1.14-RC","1.15-M0","1.2.4","1.2.5_GS-2.1-RC3","1.24-RC","1.24.0","1.3-RC1","1.6.0-RC1","1.6.0-beta","1.7-beta","1.8-M0","1.8-beta","1.9-M0","1.9-beta2","gs-2.1-RC1","pre-1.2.3"],"database_specific":{"vanir_signatures":[{"deprecated":false,"signature_version":"v1","signature_type":"Function","target":{"file":"geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java","function":"makeModifiableParameters"},"source":"https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0","id":"CVE-2024-23643-12d241c6","digest":{"function_hash":"42998344771108785665986569415757111072","length":1386}},{"deprecated":false,"signature_version":"v1","signature_type":"Function","target":{"file":"geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java","function":"makeBboxHints"},"source":"https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0","id":"CVE-2024-23643-2852d209","digest":{"function_hash":"316786741444268532952782687935776717723","length":243}},{"deprecated":false,"signature_version":"v1","signature_type":"Function","target":{"file":"geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java","function":"makePullDown"},"source":"https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0","id":"CVE-2024-23643-3ba2137a","digest":{"function_hash":"65169380951516828534676053295034578259","length":586}},{"deprecated":false,"signature_version":"v1","signature_type":"Function","target":{"file":"geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java","function":"makeTextInput"},"source":"https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0","id":"CVE-2024-23643-60cb1afa","digest":{"function_hash":"302559899331592193270305573697388929999","length":194}},{"deprecated":false,"signature_version":"v1","signature_type":"Function","target":{"file":"geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java","function":"makeFormHeader"},"source":"https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0","id":"CVE-2024-23643-8bed70d6","digest":{"function_hash":"45387006254107262882320830035351828090","length":274}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","target":{"file":"geowebcache/rest/src/test/java/org/geowebcache/rest/service/FormServiceTest.java"},"source":"https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0","id":"CVE-2024-23643-8ed7b879","digest":{"threshold":0.9,"line_hashes":["93979938718773751060936394031467836123","310643145412387731512992554030513066875","211622064264291711784667007913932714635","3791499440987366965171917002893182911","129273459394609860575170234574855818408","102028833702634520780867230071373060147","278971589014696278401399321608422167422","94744169214263536521791709816318852949","279641879984668709823898754400064265155","61890675645805344781400538153118584729","153254155027776975195708872847140959104","315842623944455755548215884103063719902","257177593006535901182318598988908191908","326073728049471167829097673959637293250","177541466498260885031876481734671628328","295346807650403948430893428070286675869","61841128030416593581331169336508422141","137596443800521891141136305853140789399"]}},{"deprecated":false,"signature_version":"v1","signature_type":"Line","target":{"file":"geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java"},"source":"https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0","id":"CVE-2024-23643-92be4c03","digest":{"threshold":0.9,"line_hashes":["269938573382186786951016945646636246671","265157265714536407328987322436651653760","277124571602723453859954087539980357030","199228694861788965023119825879279740419","294335359778260425082913076128742639041","255061376914424309403511520046740238437","245472061167438038999889828057969881809","119147359685287957582064510071479528855","212973156504232613895268193721754871687","292551519160550688457635240996802329800","34047678213393139640589876124107069892","19104151004287412141008291466805544338","81556767105064515262307260254793860395","114600032886586036957693047762054360255","164637651468956879670824412536046898594","231755128488066808872590087434504710828","97526088373585645892649885622850166908","267084000257240915436271883425561033950","113184227472294577057541655265341795059","62546637589110175022093683413295177166","58877379529314794790292458270248185003","96251495931896907204535869107031769345","261080371609487726851160166146618131874","279788561061064905795244956968510663172","161026355040115903810951196907892759885","42915927053664266494151270736188170024","255773017474521577662209555754885647151","94355730301171613717502378379459203398","177795729496843079293484624211026267991","19189518630316713095603160780210717012","238429055871382882942496240298023576543","250419685088077638136836291140475006737","311782665316722392260689639279422680506","217631537322298366141500485033193773843","252856365276766477979198724991897976692","193619600158116700752819370904336000039","251716787505268595139764862125111859106","263588676859985231802383565519346212680","85784769200109169914635501802696909498","111028892646166377395460474026042700875","31569296075184229509639656001366901454","155330535343354223919340355691029035426","137234196611080129275850903106117546034","77434446034298803093761902602099364674","134401521186597077134759307768106069362","316302094059364777668509981861941056509","184356296550735268069795468146399327261","111709960011425644171016798913698465476","263123117828302512966654234846463708057","318524077112576449197388120434747378508","95956453803994533677495248312747330977","170834449323416614286764610041388488922","306818665918350291639013515904639134777","325733854384794610883950514630004311445","93366368095295527374364222818787095563","237779475706490605467030283887888970633","296730697915689974397369286546779267849","107764859773443520819145195472158183864","28257360267700577812784905773409174824","189781596590032975089387766255021029530","248404809515828198664205250328773325764","48423563783883417915395383439446787449","30204404380568493356799265198237275345","258835257837729165025559866901245522429"]}},{"deprecated":false,"signature_version":"v1","signature_type":"Function","target":{"file":"geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java","function":"makeKillallThreadsForm"},"source":"https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0","id":"CVE-2024-23643-d96b8ac1","digest":{"function_hash":"75079430735591282713494245771847391258","length":1835}},{"deprecated":false,"signature_version":"v1","signature_type":"Function","target":{"file":"geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java","function":"makeTaskList"},"source":"https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0","id":"CVE-2024-23643-d972dc41","digest":{"function_hash":"28294691750523531300729948266107579800","length":3122}},{"deprecated":false,"signature_version":"v1","signature_type":"Function","target":{"file":"geowebcache/rest/src/main/java/org/geowebcache/rest/service/FormService.java","function":"makeThreadKillForm"},"source":"https://github.com/geowebcache/geowebcache/commit/9d010e09c784690ada8af43f594461a2553a62f0","id":"CVE-2024-23643-f264362b","digest":{"function_hash":"223811769229096538937125139316850142466","length":424}}],"vanir_signatures_modified":"2026-04-12T05:53:18Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23643.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}]}