CVE-2024-25697 - Cross-site Scripting vulnerability in Portal for ArcGIS

1. Vulnerability Properties

Title: Cross-site Scripting vulnerability in Portal for ArcGIS
CVE ID: CVE-2024-25697
CVSSv3.1 Base Score: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Vendor: Environmental Systems Research Institute, Inc. (Esri)
Products: Portal for ArcGIS
Advisory Release Date: 11-04-2024
Advisory URL: https://labs.integrity.pt/advisories/cve-2024-25697
Credits: Discovery by Pedro Valadares Pinho <pedro.pinho[at]devoteam.com>

2. Vulnerability Summary

There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions <=11.1 that may allow a remote, authenticated attacker to create a crafted link which when opening an authenticated users bio page will render an image in the victims browser.

3. Vulnerable Versions

  • Portal for ArcGIS in versions <=11.1

4. Solution

5. Vulnerability Timeline

  • 20/Mar/23 - Bug reported to vendor
  • 23/Mar/23 - Bug validated by vendor (BUG-000156938)
  • 11/Apr/24 - Advisory released

6. References

  • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2/
  • https://nvd.nist.gov/vuln/detail/CVE-2024-25697
  • https://www.cve.org/CVERecord?id=CVE-2024-25697

Latest Advisories

Latest Articles

© 2024 INTEGRITY S.A. All rights reserved. | Cookie Policy

Cookie Consent X

Integrity S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.