Cross-site Scripting Vulnerability in Esri Portal for ArcGIS Enterprise Web App Builder
CVE-2024-25708

4.8MEDIUM

Key Information:

Vendor

Esri

Status
Arcgis Enterprise Web App Builder
Vendor
CVE Published:
4 April 2024

What is CVE-2024-25708?

A stored Cross-site Scripting vulnerability exists in Esri Portal for ArcGIS Enterprise Web App Builder versions 10.8.1 through 10.9.1. This vulnerability enables a remote, authenticated attacker to construct a specially crafted link that, when accessed, could execute arbitrary JavaScript code in the browser of an unsuspecting user. The attack requires elevated privileges to conduct successfully, making it imperative for users of the affected versions to apply security updates and mitigate potential risks associated with this flaw.

Affected Version(s)

ArcGIS Enterprise Web App Builder x86 All <= 10.9.1

References

https://www.esri.com/arcgis-blog/products/arcgis-enterpri...

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

.
CVE-2024-25708 : Cross-site Scripting Vulnerability in Esri Portal for ArcGIS Enterprise Web App Builder