BUG-000153659 ArcGIS Enterprise Sites has a stored XSS vulnerability
CVE-2023-25835

4.8MEDIUM

Key Information:

Vendor: Esri
Status: Portal For Arcgis Sites
Vendor: CVE Published:; 21 July 2023

What is CVE-2023-25835?

A stored Cross-site Scripting vulnerability exists in the Esri Portal for ArcGIS Enterprise Sites, specifically versions 10.8.1 through 11.1. This flaw allows an authenticated remote attacker to craft a malicious link that, once stored in the site configuration, can execute arbitrary JavaScript code in the browser of any user who clicks the link. The successful exploitation of this vulnerability may compromise the confidentiality, integrity, and availability of the affected systems, posing significant risks to users and operations.

Affected Version(s)

Portal for ArcGIS Sites 64 bit All <= 11.1

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/ad...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 21, 2023
Vulnerability Reserved
Feb 15, 2023