CVE-2024-25702

CVSS V2 None CVSS V3 None

Description

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.8.1 – 11.1 that may allow a remote, authenticated attacker to create a crafted link that is stored in the site configuration which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.

Overview

CVE ID
CVE-2024-25702

Assigner
Esri

Vulnerability Status
PUBLISHED

Published Version
2024-10-04T17:17:12.593Z

Last Modified Date
2024-10-04T18:09:56.799Z

Weakness Enumerations

CWE	URL
CWE-79	http://cwe.mitre.org/data/definitions/79.html

References

Reference URL	Reference Tags
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-25702
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25702

History

Created	Old Value	New Value	Data Type	Notes
2024-10-07 04:10:33				Added to TrackCVE