Skip to main content

Portal For Arcgis CVE-2024-25698

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-04-04 psirt@esri.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 04, 2024 - 18:15 nvd
MEDIUM 6.1

DescriptionNVD

There is a reflected cross site scripting vulnerability in the home application in Esri Portal for ArcGIS 11.1 and below on Windows and Linux that allows a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

AnalysisAI

There is a reflected cross site scripting vulnerability in the home application in Esri Portal for ArcGIS 11.1 and below on Windows and Linux that allows a remote, unauthenticated attacker to create. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. There is a reflected cross site scripting vulnerability in the home application in Esri Portal for ArcGIS 11.1 and below on Windows and Linux that allows a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. Affected products include: Esri Portal For Arcgis.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2024-25693 CRITICAL
9.9 Apr 04

There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. Rated critical severity (CVSS 9.9), this vulnerabi

CVE-2026-13019 CRITICAL
9.8 Jul 07

Missing authentication in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes deployments) exposes a

CVE-2026-13020 CRITICAL
9.8 Jul 07

Account takeover in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes) stems from a weak forgotten

CVE-2025-2538 CRITICAL
9.8 Mar 20

A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 an

CVE-2022-38193 CRITICAL
9.6 Aug 16

There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, una

CVE-2023-25832 HIGH
8.8 May 09

There is a cross-site-request forgery vulnerability in Esri Portal for ArcGIS Versions 11.0 and below that may allow an

CVE-2021-29108 HIGH
8.8 Oct 01

There is an privilege escalation vulnerability in organization-specific logins in Esri Portal for ArcGIS versions 10.9 a

CVE-2024-25699 HIGH
8.5 Apr 04

There is a difficult‑to‑exploit improper authentication issue in the Home application for Esri Portal for ArcGIS version

CVE-2023-25837 HIGH
8.4 Jul 21

There is a Cross‑Site Scripting (XSS) vulnerability in Esri ArcGIS Enterprise Sites versions 10.9 and below that may all

CVE-2023-25835 HIGH
8.4 Jul 21

There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS Sites versions 11.1 and below that

CVE-2024-38040 HIGH
7.5 Oct 04

There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote, unauthen

CVE-2022-38212 HIGH
7.5 Dec 29

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8

Share

CVE-2024-25698 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy