← Back

CVE-2025-55103

nvd nist
Published: Aug 21, 2025Modified: Sep 5, 2025

JSON object

Loading...
4.8
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Exploitability: 1.7 / Impact: 2.7
Source: psirt@esri.com (Secondary)

Description

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.

Affected (4)

Esri
1 product
Portal For Arcgis
Configuration A
4 vulnerable
Vulnerable SoftwareAffected Versions
Esri
Portal For Arcgis
Version 10.9.1
Portal For Arcgis
Version 11.1
Portal For Arcgis
Version 11.2
Portal For Arcgis
Version 11.4

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

Source: psirt@esri.com
PatchVendor Advisory

Timeline

No history available yet.