#java

### Summary A stored cross-site scripting (XSS) vulnerability exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another user's browser when viewed in the WMS GetMap SVG Output Format when the Simple SVG renderer is enabled. Access to the WMS SVG Format is available to all users by default although data and service security may limit users' ability to trigger the XSS. ### Details _Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ ### Impact If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can: 1 .Perform any action within the application that the user can perform. 2. View any...

### Summary A stored cross-site scripting (XSS) vulnerability exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in uploaded style/legend resources or in a specially crafted datastore file that will execute in the context of another user's browser when viewed in the Style Publisher. Access to the Style Publisher is available to all users although data security may limit users' ability to trigger the XSS. ### Details _Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ ### Impact If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can: 1 .Perform any action within the application that the user can perform. 2. View any information that the us...

### Summary A stored cross-site scripting (XSS) vulnerability exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in uploaded style/legend resources that will execute in the context of another administrator's browser when viewed in the REST Resources API. Access to the REST Resources API is limited to full administrators by default and granting non-administrators access to this endpoint should be carefully considered as it may allow access to files containing sensitive information. ### Details Upload a new Legend via the New Style page if user has permissions for this. This file is then not checked and is uploaded to the backend system. This file can then be viewed directly by requesting it via the API which will then view the file in its raw format without sanitisation.  ![image](https://user-images.githubusercont...

### Summary An arbitrary file upload vulnerability exists that enables an authenticated administrator with permissions to modify coverage stores through the REST Coverage Store API to upload arbitrary file contents to arbitrary file locations which can lead to remote code execution. ### Details Coverage stores that are configured using relative paths use a GeoServer Resource implementation that has validation to prevent path traversal but coverage stores that are configured using absolute paths use a different Resource implementation that does not prevent path traversal. ### PoC Step 1 (create sample coverage store): curl -vXPUT -H"Content-type:application/zip" -u"admin:geoserver" --data-binary @polyphemus.zip "http://localhost:8080/geoserver/rest/workspaces/sf/coveragestores/filewrite/file.imagemosaic" Step 2 (switch store to absolute URL): curl -vXPUT -H"Content-Type:application/xml" -u"admin:geoserver" -d"<coverageStore><url>file:///{absolute path to data directory}/data/sf/filewr...

### Impact This vulnerability requires GeoServer Administrator with access to the admin console to misconfigured the **Global Settings** for **log file location** to an arbitrary location. This can be used to read files via the admin console **GeoServer Logs** page. It is also possible to leverage RCE or cause denial of service by overwriting key GeoServer files. ### Patches As this issue requires GeoServer administrators access, often representing a trusted party, the vulnerability has not yet attracted a volunteer or resources. Interested parties are welcome to contact [email protected] for recommendations on developing a fix. ### Workarounds A system administrator responsible for running GeoServer can define the ``GEOSERVER_LOG_FILE`` parameter, preventing the global setting provided from being used. The ``GEOSERVER_LOG_LOCATION`` parameter can be set as system property, environment variable, or servlet context parameter. Environmental variable: ```bash e...

Red Hat Security Advisory 2024-1436-03 - An update for postgresql-jdbc is now available for Red Hat Enterprise Linux 9.

Red Hat Security Advisory 2024-1435-03 - An update for postgresql-jdbc is now available for Red Hat Enterprise Linux 8.

Red Hat Security Advisory 2024-1424-03 - An update for nodejs is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.

Research conducted by Cisco Talos last year uncovered multiple vulnerabilities rated as low severity despite their ability to allow for full arbitrary code execution.

Tramyardg Autoexpress version 1.3.0 suffers from a persistent cross site scripting vulnerability.