Cross-site Scripting Vulnerability in ArcGIS Enterprise Sites
CVE-2024-25702

4.8MEDIUM

Key Information:

Vendor: Esri
Status: Arcgis Enterprise Web App Builder
Vendor: CVE Published:; 4 October 2024

What is CVE-2024-25702?

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the site configuration which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.

Affected Version(s)

ArcGIS Enterprise Web App Builder Windows all <= 11.1

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/ad...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 4, 2024