CVE-2024-25709

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-25709
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 10.8.1 – 1121 that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/
Configurations

No configuration.

History

10 Oct 2024, 12:57

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de Cross-site Scripting Almacenado en Esri Portal for ArcGIS versiones 10.8.1 – 1121 que puede permitir que un atacante remoto autenticado cree un vínculo manipulado que se puede guardar como una nueva ubicación al mover un elemento existente, lo que potencialmente ejecutará código JavaScript arbitrario en el navegador de la víctima. Los privilegios necesarios para ejecutar este ataque son altos.

08 Oct 2024, 17:15

Type Values Removed Values Added
Summary (en) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because this item is scheduled to be patched at a future time. (en) There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 10.8.1 – 1121 that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.
References
  • () https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/ -
CWE CWE-79
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.1

25 Apr 2024, 19:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.1 		v2 : unknown
v3 : unknown
Summary
  • (es) Existe una vulnerabilidad de Cross-Site Scripting almacenado en Esri Portal for ArcGIS versiones 10.8.1 – 1121 que puede permitir que un atacante remoto y autenticado cree un enlace manipulado que se puede guardar como una nueva ubicación al mover un elemento existente que potencialmente se ejecutará. código JavaScript arbitrario en el navegador de la víctima. Los privilegios necesarios para ejecutar este ataque son elevados.
Summary (en) There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 10.8.1 – 1121 that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.  (en) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because this item is scheduled to be patched at a future time.
CWE CWE-79
References
  • {'url': 'https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/', 'source': 'psirt@esri.com'}

19 Apr 2024, 23:15

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de Cross-Site Scripting almacenado en Esri Portal for ArcGIS versiones 10.8.1 – 1121 que puede permitir que un atacante remoto y autenticado cree un enlace manipulado que se puede guardar como una nueva ubicación al mover un elemento existente que potencialmente se ejecutará. código JavaScript arbitrario en el navegador de la víctima. Los privilegios necesarios para ejecutar este ataque son elevados.
References
  • {'url': 'https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2/', 'source': 'psirt@esri.com'}
  • () https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/ -

04 Apr 2024, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-04-04 18:15

Updated : 2024-10-10 12:57

NVD link : CVE-2024-25709

Mitre link : CVE-2024-25709

CVE.ORG link : CVE-2024-25709

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')