Skip to main content

Portal For Arcgis CVE-2024-25693

CRITICAL
Path Traversal (CWE-22)
2024-04-04 psirt@esri.com
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Apr 04, 2024 - 18:15 nvd
CRITICAL 9.9

DescriptionNVD

There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. Successful exploitation may allow a remote, authenticated attacker to traverse the file system to access files or execute code outside of the intended directory.

AnalysisAI

There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. Successful exploitation may allow a remote, authenticated attacker to traverse the file system to access files or execute code outside of the intended directory. Affected products include: Esri Portal For Arcgis.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2026-13019 CRITICAL
9.8 Jul 07

Missing authentication in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes deployments) exposes a

CVE-2026-13020 CRITICAL
9.8 Jul 07

Account takeover in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes) stems from a weak forgotten

CVE-2025-2538 CRITICAL
9.8 Mar 20

A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 an

CVE-2022-38193 CRITICAL
9.6 Aug 16

There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, una

CVE-2023-25832 HIGH
8.8 May 09

There is a cross-site-request forgery vulnerability in Esri Portal for ArcGIS Versions 11.0 and below that may allow an

CVE-2021-29108 HIGH
8.8 Oct 01

There is an privilege escalation vulnerability in organization-specific logins in Esri Portal for ArcGIS versions 10.9 a

CVE-2024-25699 HIGH
8.5 Apr 04

There is a difficult‑to‑exploit improper authentication issue in the Home application for Esri Portal for ArcGIS version

CVE-2023-25837 HIGH
8.4 Jul 21

There is a Cross‑Site Scripting (XSS) vulnerability in Esri ArcGIS Enterprise Sites versions 10.9 and below that may all

CVE-2023-25835 HIGH
8.4 Jul 21

There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS Sites versions 11.1 and below that

CVE-2024-38040 HIGH
7.5 Oct 04

There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote, unauthen

CVE-2022-38212 HIGH
7.5 Dec 29

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8

CVE-2022-38211 HIGH
7.5 Dec 29

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.9

Share

CVE-2024-25693 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy