CVE-2023-51445 in GeoServer
Summary
by MITRE • 03/20/2024
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in uploaded style/legend resources that will execute in the context of another administrator's browser when viewed in the REST Resources API. Access to the REST Resources API is limited to full administrators by default and granting non-administrators access to this endpoint should be carefully considered as it may allow access to files containing sensitive information. Versions 2.23.3 and 2.24.0 contain a patch for this issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/13/2025
This vulnerability represents a critical stored cross-site scripting flaw in GeoServer that demonstrates the dangers of insufficient input validation in web applications handling geospatial data. The vulnerability exists in versions prior to 2.23.3 and 2.24.0, where authenticated administrators with workspace-level privileges can inject malicious JavaScript code into uploaded style and legend resources. This flaw operates through the REST Resources API endpoint, which by default requires full administrative access but can be configured to grant broader permissions. The attack vector is particularly concerning because it allows an attacker to store malicious payloads that execute in the browser context of other administrators who view these resources, creating a persistent threat that can be exploited repeatedly.
The technical implementation of this vulnerability stems from inadequate sanitization of user-supplied content within the style and legend upload functionality. When administrators upload resources containing malicious JavaScript code, the application fails to properly validate or escape the input before storing it in the system. This stored payload then executes whenever another administrator accesses the REST Resources API to view these resources, effectively creating a server-side persistence mechanism for client-side attacks. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws, and demonstrates how insufficient output escaping can lead to unauthorized code execution in victim browsers. The attack requires authentication but leverages the trust relationship between administrators and the application, making it particularly dangerous in environments where multiple administrators have access to sensitive systems.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to escalate privileges, access sensitive data, or perform actions on behalf of authenticated administrators. An attacker with workspace-level privileges could potentially access files containing confidential information, manipulate geospatial data, or even establish persistent access through the stolen administrator sessions. The REST Resources API serves as a critical interface for managing geospatial resources, making it an attractive target for attackers seeking to compromise the entire GeoServer installation. This vulnerability particularly affects organizations that rely on GeoServer for mapping services, environmental monitoring, or geographic information systems where the administrative interface is exposed to multiple users with varying privilege levels.
Organizations should immediately upgrade to GeoServer versions 2.23.3 or 2.24.0 to remediate this vulnerability, as these releases contain the necessary patches to prevent stored XSS attacks. Administrators should also carefully review access controls for the REST Resources API, ensuring that only fully trusted administrators have access to this endpoint. Additional mitigation strategies include implementing content security policies, regularly auditing uploaded resources, and monitoring for suspicious activity in the administrative interface. Security teams should consider implementing web application firewalls to detect and block potential XSS payloads, while also conducting regular security assessments of geospatial applications to identify similar vulnerabilities. The ATT&CK framework categorizes this vulnerability under T1566, specifically targeting the exploitation of web application vulnerabilities through stored XSS techniques, emphasizing the need for comprehensive application security controls.