There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.8.1 – 11.1 that may allow a remote, authenticated attacker to create a crafted link that is stored in the site configuration which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
References
Link | Resource |
---|---|
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/ | Vendor Advisory |
Configurations
History
16 Oct 2024, 21:03
Type | Values Removed | Values Added |
---|---|---|
First Time |
Esri
Esri portal For Arcgis |
|
CPE | cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:* | |
References | () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/ - Vendor Advisory |
07 Oct 2024, 17:48
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
04 Oct 2024, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-04 18:15
Updated : 2024-10-16 21:03
NVD link : CVE-2024-25702
Mitre link : CVE-2024-25702
CVE.ORG link : CVE-2024-25702
JSON object : View
Products Affected
esri
- portal_for_arcgis
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')