CVE-2024-38039

{"id": "CVE-2024-38039", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "psirt@esri.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2024-10-04T18:15:07.633", "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/", "tags": ["Vendor Advisory"], "source": "psirt@esri.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "psirt@esri.com", "description": [{"lang": "en", "value": "CWE-80"}]}], "descriptions": [{"lang": "en", "value": "There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim\u2019s browser (no stateful change made or customer data rendered)."}, {"lang": "es", "value": "Hay una vulnerabilidad de inyecci\u00f3n HTML en Esri Portal for ArcGIS versiones 11.0 y anteriores que puede permitir que un atacante remoto y autenticado cree un enlace dise\u00f1ado que, al hacer clic, podr\u00eda generar HTML arbitrario en el navegador de la v\u00edctima (no se realizan cambios con estado ni se representan datos del cliente)."}], "lastModified": "2024-10-15T14:34:00.893", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BE67D5A-F389-4819-BEF6-F17CE6114D54", "versionEndIncluding": "11.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@esri.com"}