BUG-000154070 Stored XSS issue in the ArcGIS REST Services directory
CVE-2023-25840

3.4LOW

Key Information:

Vendor: Esri
Status: Arcgis Enterprise Server
Vendor: CVE Published:; 21 July 2023

What is CVE-2023-25840?

There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which onmouseover wont execute but could potentially render an image in the victims browser. The privileges required to execute this attack are high.

Affected Version(s)

ArcGIS Enterprise Server Windows All <= 11.1

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/an...

CVSS V3.1

Score:

3.4

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 21, 2023
Vulnerability Reserved
Feb 15, 2023

Esri

What is CVE-2023-25840?

Affected Version(s)

References

CVSS V3.1

Timeline