Cross-site Scripting Vulnerability in ArcGIS Enterprise Experience Builder Could lead to Full Control of Portal
CVE-2024-25701

4.8MEDIUM

Key Information:

Vendor

Esri

Status
Portal For Arcgis Enterprise Experience Builder
Vendor
CVE Published:
4 October 2024

What is CVE-2024-25701?

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Experience Builder versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the Experience Builder Embed widget which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.

Affected Version(s)

Portal for ArcGIS Enterprise Experience Builder Windows all <= 11.1

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/ad...

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

.
CVE-2024-25701 : Cross-site Scripting Vulnerability in ArcGIS Enterprise Experience Builder Could lead to Full Control of Portal