Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-25691

Summary
Assigner-Esri
Assigner Org ID-cedc17bb-4939-4f40-a1f4-30ae8af1094e
Published At-04 Oct, 2024 | 17:18
Updated At-10 Apr, 2025 | 19:18
Rejected At-
Credits

BUG-000165286 - Reflected XSS in Portal for ArcGIS

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Esri
Assigner Org ID:cedc17bb-4939-4f40-a1f4-30ae8af1094e
Published At:04 Oct, 2024 | 17:18
Updated At:10 Apr, 2025 | 19:18
Rejected At:
▼CVE Numbering Authority (CNA)
BUG-000165286 - Reflected XSS in Portal for ArcGIS

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

Affected Products
Vendor
Environmental Systems Research Institute, Inc. ("Esri")Esri
Product
Portal for ArcGIS
Platforms
  • Windows
Default Status
unaffected
Versions
Affected
  • From all through 11.2 (all)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-591CAPEC-591 Reflected XSS
CAPEC ID: CAPEC-591
Description: CAPEC-591 Reflected XSS
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/
N/A
Hyperlink: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
Environmental Systems Research Institute, Inc. ("Esri")esri
Product
portal_for_arcgis
CPEs
  • cpe:2.3:a:esri:portal_for_arcgis:-:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 10.8.1
  • 10.9.1
  • 11.1
  • 11.2
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@esri.com
Published At:04 Oct, 2024 | 18:15
Updated At:10 Apr, 2025 | 20:15

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CPE Matches
Environmental Systems Research Institute, Inc. ("Esri")
esri
>>portal_for_arcgis>>10.8.1
cpe:2.3:a:esri:portal_for_arcgis:10.8.1:*:*:*:*:*:*:*
Environmental Systems Research Institute, Inc. ("Esri")
esri
>>portal_for_arcgis>>10.9.1
cpe:2.3:a:esri:portal_for_arcgis:10.9.1:*:*:*:*:*:*:*
Environmental Systems Research Institute, Inc. ("Esri")
esri
>>portal_for_arcgis>>11.1
cpe:2.3:a:esri:portal_for_arcgis:11.1:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondarypsirt@esri.com
CWE ID: CWE-79
Type: Secondary
Source: psirt@esri.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/psirt@esri.com
Vendor Advisory
Hyperlink: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/
Source: psirt@esri.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found