Summary GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. Details GeoNode's GeoServer has the ability to upload new styles for datasets through the dataset_style_upload view. “`py https://github.dev/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/views.py#L158-L159 @login_required def dataset_style_upload(request, layername): def respond(args, kw): kw['content_type'] = 'text/html' return json_response(args, **kw) … sld = request.FILES['sld'].read() # 1 sld_name = None try: # Check SLD is valid … sld_name = extract_name_from_sld(gs_catalog, sld, sld_file=request.FILES['sld']) # 2 except Exception as e: respond(errors=f"The uploaded SLD file is not valid XML: {e}") name = data.get('name') or sld_name set_dataset_style(layer, data.get('title') or name, sld) return respond( body={ 'success': True, 'style': data.get('title') or name, # 3 'updated': data['update']}) “` dataset_style_upload gets a user-provided file (1), pass it to extract_name_from_sld to extract an element from it (2) and return the former in the response (3). “`py https://github.dev/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/helpers.py#L233-L234 def extract_name_from_sld(gs_catalog, sld, sld_file=None): try: …Read More