CVE-2024-25709

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 11.2 and below that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/	Not Applicable

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:esri:portal_for_arcgis:10.8.1:::::::*
	cpe:2.3:a:esri:portal_for_arcgis:10.9.1:::::::*
	cpe:2.3:a:esri:portal_for_arcgis:11.0:::::::*
	cpe:2.3:a:esri:portal_for_arcgis:11.1:::::::*
	cpe:2.3:a:esri:portal_for_arcgis:11.2:::::::*

OR	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

History

10 Apr 2025, 19:15

Type	Values Removed	Values Added
Summary	(en) There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 10.8.1 – 1121 that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.	(en) There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 11.2 and below that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.

23 Jan 2025, 16:17

Type	Values Removed	Values Added
References	~~() https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/ -~~	() https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/ - Not Applicable
CPE		cpe:2.3:o:microsoft:windows:-:::::::* cpe:2.3:a:esri:portal_for_arcgis:10.8.1:::::::* cpe:2.3:a:esri:portal_for_arcgis:10.9.1:::::::* cpe:2.3:a:esri:portal_for_arcgis:11.2:::::::* cpe:2.3:a:esri:portal_for_arcgis:11.0:::::::* cpe:2.3:a:esri:portal_for_arcgis:11.1:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::*
First Time		Linux Microsoft windows Esri portal For Arcgis Esri Linux linux Kernel Microsoft

10 Oct 2024, 12:57

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de Cross-site Scripting Almacenado en Esri Portal for ArcGIS versiones 10.8.1 – 1121 que puede permitir que un atacante remoto autenticado cree un vínculo manipulado que se puede guardar como una nueva ubicación al mover un elemento existente, lo que potencialmente ejecutará código JavaScript arbitrario en el navegador de la víctima. Los privilegios necesarios para ejecutar este ataque son altos.

08 Oct 2024, 17:15

Type	Values Removed	Values Added
Summary	~~(en) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because this item is scheduled to be patched at a future time.~~	(en) There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 10.8.1 – 1121 that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.
CWE		CWE-79
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
References		() https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/ -

25 Apr 2024, 19:15

Type	Values Removed	Values Added
CWE	~~CWE-79~~
References	~~{'url': 'https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/', 'source': 'psirt@esri.com'}~~
CVSS	v2 : ~~unknown~~ v3 : ~~6.1~~	v2 : unknown v3 : unknown
Summary	(es) Existe una vulnerabilidad de Cross-Site Scripting almacenado en Esri Portal for ArcGIS versiones 10.8.1 – 1121 que puede permitir que un atacante remoto y autenticado cree un enlace manipulado que se puede guardar como una nueva ubicación al mover un elemento existente que potencialmente se ejecutará. código JavaScript arbitrario en el navegador de la víctima. Los privilegios necesarios para ejecutar este ataque son elevados.
Summary	(en) There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 10.8.1 – 1121 that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.	(en) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because this item is scheduled to be patched at a future time.

19 Apr 2024, 23:15

Type	Values Removed	Values Added
References	~~{'url': 'https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2/', 'source': 'psirt@esri.com'}~~	() https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/ -

04 Apr 2024, 19:24

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-04 18:15

Updated : 2025-04-10 19:15

NVD link : CVE-2024-25709

Mitre link : CVE-2024-25709

CVE.ORG link : CVE-2024-25709

JSON object : View

Products Affected

linux

linux_kernel

microsoft

windows

esri

portal_for_arcgis

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10