Cross-Site Request Forgery Vulnerability in ArcGIS Versions 11.1 and Below
CVE-2024-25692

5.4MEDIUM

Key Information:

Vendor: Esri
Status: Portal For Arcgis
Vendor: CVE Published:; 4 April 2024

What is CVE-2024-25692?

A cross-site request forgery vulnerability exists in Esri Portal for ArcGIS that may allow a remote, unauthenticated attacker to manipulate actions taken by an authorized user. By crafting specific forms, the attacker can potentially trick users into executing unintended commands without their knowledge. The vulnerability primarily affects versions 11.1 and earlier of the software, impacting its web application security framework. Although the direct effects on confidentiality and integrity are limited, users are encouraged to apply the necessary updates to mitigate any associated security risks.

Affected Version(s)

Portal for ArcGIS Windows all <= 11.0

References

https://www.esri.com/arcgis-blog/products/arcgis-enterpri...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 4, 2024