CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
There is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1.
AnalysisAI
Stored XSS in ArcGIS Pro 3.6.0 and earlier allows local attackers to inject malicious scripts into application dialogs that execute when opened by users with standard local access. No patch is currently available, and exploitation requires user interaction with a specific dialog containing attacker-supplied input. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 30 days: Identify affected systems running Esri ArcGIS Pro and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today