BUG-000133088 - ArcGIS Enterprise site builder is subject to stored XSS.
CVE-2023-25837

4.8MEDIUM

Key Information:

Vendor

Esri

Status
Portal For Arcgis Sites
Vendor
CVE Published:
21 July 2023

What is CVE-2023-25837?

A Cross-site Scripting vulnerability exists in Esri ArcGIS Enterprise Sites versions 10.8.1 and 10.9. This flaw allows an authenticated remote attacker to craft a malicious link. If a victim clicks this link, it could lead to the execution of arbitrary JavaScript code in the user's browser, posing a significant security risk. Users with appropriate privileges are capable of exploiting this vulnerability, making it crucial for organizations using these versions to apply the necessary security measures to mitigate potential threats.

Affected Version(s)

Portal for ArcGIS Sites 64 bit All <= 10.9

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/ad...

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2023-25837 : BUG-000133088 - ArcGIS Enterprise site builder is subject to stored XSS.