Cross-site Scripting Vulnerability in Esri Portal for ArcGIS
CVE-2024-25709

6.1MEDIUM

Key Information:

Vendor: Esri
Status: Portal For Arcgis
Vendor: CVE Published:; 4 April 2024

What is CVE-2024-25709?

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 11.2 and below that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.

Affected Version(s)

Portal for ArcGIS Windows All <= 11.2

References

https://www.esri.com/arcgis-blog/products/arcgis-enterpri...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 4, 2024

Credit

Miguel Falé