CVE-2024-25706

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-25706
There is an HTML injection vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a message that may entice an unsuspecting victim to visit an arbitrary website. This could simplify phishing attacks.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2/ Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*
History

10 Apr 2025, 19:15

Type Values Removed Values Added
Summary (en) There is an HTML injection vulnerability in Esri Portal for ArcGIS <=11.0 that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a message that may entice an unsuspecting victim to visit an arbitrary website. This could simplify phishing attacks. (en) There is an HTML injection vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a message that may entice an unsuspecting victim to visit an arbitrary website. This could simplify phishing attacks.

08 Jan 2025, 15:42

Type Values Removed Values Added
References () https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2/ - () https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2/ - Vendor Advisory
CWE CWE-79
First Time Esri
Esri portal For Arcgis
CPE cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*

10 Oct 2024, 12:57

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de inyección de HTML en Esri Portal for ArcGIS &lt;=11.0 que puede permitir que un atacante remoto no autenticado cree una URL que, al hacer clic en ella, podría generar un mensaje que incite a una víctima desprevenida a visitar un sitio web arbitrario. Esto podría simplificar los ataques de phishing.

08 Oct 2024, 17:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.1
References
  • () https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2/ -
Summary (en) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because this item is scheduled to be patched at a future time. (en) There is an HTML injection vulnerability in Esri Portal for ArcGIS <=11.0 that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a message that may entice an unsuspecting victim to visit an arbitrary website. This could simplify phishing attacks.
CWE CWE-94

25 Apr 2024, 19:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.1 		v2 : unknown
v3 : unknown
References
  • {'url': 'https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2/', 'source': 'psirt@esri.com'}
CWE CWE-94
Summary
  • (es) Existe una vulnerabilidad de inyección de HTML en Esri Portal for ArcGIS &lt;=11.0 que puede permitir que un atacante remoto y no autenticado cree una URL que, al hacer clic, podría generar un mensaje que podría atraer a una víctima desprevenida a visitar un sitio web arbitrario. Esto podría simplificar los ataques de phishing.
Summary (en) There is an HTML injection vulnerability in Esri Portal for ArcGIS <=11.0 that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a message that may entice an unsuspecting victim to visit an arbitrary website. This could simplify phishing attacks. (en) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because this item is scheduled to be patched at a future time.

04 Apr 2024, 19:24

Type Values Removed Values Added
New CVE
Information

Published : 2024-04-04 18:15

Updated : 2025-04-10 19:15

NVD link : CVE-2024-25706

Mitre link : CVE-2024-25706

CVE.ORG link : CVE-2024-25706

JSON object : View

Products Affected

esri

  • portal_for_arcgis
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')