HTML Injection Vulnerability in Esri Portal for ArcGIS
CVE-2024-38039

5.4MEDIUM

Key Information:

Vendor: Esri
Status: Portal For Arcgis
Vendor: CVE Published:; 4 October 2024

What is CVE-2024-38039?

There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser (no stateful change made or customer data rendered).

Affected Version(s)

Portal for ArcGIS Windows 10.9.1

Portal for ArcGIS Windows 11.1

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/ad...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 4, 2024