CVE-2024-25709

Published: Apr 4, 2024Modified: Feb 13, 2026

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.2 and below that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item, which could potentially execute arbitrary JavaScript code in a victim’s browser. Exploitation does not require any privileges and can be performed by an anonymous user.

Affected (5)

Products: Esri: Portal For Arcgis

Esri

1 product

Portal For Arcgis

Configuration A

5 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Esri Portal For Arcgis	Version 10.8.1
Esri Portal For Arcgis	Version 10.9.1
Esri Portal For Arcgis	Version 11.0
Esri Portal For Arcgis	Version 11.1
Esri Portal For Arcgis	Version 11.2

Running on/with	Platform Versions
Linux Linux Kernel	All versions
Microsoft Windows	All versions

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/

Source: psirt@esri.com

Not Applicable

Timeline

No history available yet.