CVE-2023-51445

Exploit

EPSS 0.72%
Veröffentlicht 20.03.2024 16:15:07
Zuletzt bearbeitet 18.12.2024 21:56:24
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in uploaded style/legend resources that will execute in the context of another administrator's browser when viewed in the REST Resources API.  Access to the REST Resources API is limited to full administrators by default and granting non-administrators access to this endpoint should be carefully considered as it may allow access to files containing sensitive information. Versions 2.23.3 and 2.24.0 contain a patch for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Geoserver ≫ Geoserver Version < 2.23.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.72%	0.718

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.8	1.7	2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	4.8	1.7	2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/geoserver/geoserver/commit/7db985738ff2422019ccac974cf547bae5770cad

Patch

https://github.com/geoserver/geoserver/pull/7161

Issue Tracking

https://github.com/geoserver/geoserver/security/advisories/GHSA-fh7p-5f6g-vj2w

Vendor Advisory

Exploit

https://osgeo-org.atlassian.net/browse/GEOS-11148

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2023-51445

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-51445

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-51445

EUVD