Reflected XSS Vulnerability in Esri Portal for ArcGIS Could Allow Remote Execution of Arbitrary JavaScript Code
CVE-2024-8149

6.1MEDIUM

Key Information:

Vendor: Esri
Status: Portal For Arcgis
Vendor: CVE Published:; 4 October 2024

What is CVE-2024-8149?

A reflected cross-site scripting (XSS) vulnerability exists in Esri Portal for ArcGIS versions 11.1 and 11.2. This flaw allows a remote, unauthenticated attacker to craft a malicious link. When this link is clicked by a user, it can exploit the vulnerability, potentially executing arbitrary JavaScript code within the user's browser session. This poses significant risks, including the possibility of data theft, session hijacking, and other malicious activities due to the execution of unauthorized scripts.

Affected Version(s)

Portal for ArcGIS 11.1

Portal for ArcGIS 11.2

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/ad...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 4, 2024