GeoServer Reflected Cross-Site Scripting Vulnerability in WMS GetFeatureInfo HTML Output

A reflected cross-site scripting vulnerability has been identified in GeoServer versions prior to 2.25.0. This issue resides in the WMS GetFeatureInfo HTML output format, where a remote attacker can execute arbitrary JavaScript in a victim's browser by manipulating SLD_BODY parameters. The vulnerability arises because the WMS service's HTML auto-escaping feature is either disabled by default or absent in these versions.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute JavaScript in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, send a WMS GetFeatureInfo request with crafted SLD_BODY parameters that include JavaScript. The absence of HTML auto-escaping in the response will allow the script to execute in the user's browser.

Remediation

Users can upgrade to GeoServer version 2.25.0 or later, where this vulnerability is patched. For those using GeoServer versions 2.21.3+ or 2.22.1+, the WMS GetFeatureInfo HTML auto-escaping can be enabled to mitigate this issue.