CyberAlerts

CVE-2024-25698

Description: There is a reflected cross site scripting vulnerability in the home application in Esri Portal for ArcGIS 11.1 and below on Windows and Linux that allows a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

CVSS: MEDIUM (6.1)

EPSS Score: 0.09%

SSVC Exploitation: none

Source: CVE

April 10th, 2025 (11 days ago)

CVE-2024-25697

Stored XSS in Portal for ArcGIS

Description: There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which when opening an authenticated users bio page will render an image in the victims browser. The privileges required to execute this attack are low.

CVSS: MEDIUM (5.4)

EPSS Score: 0.08%

SSVC Exploitation: none

Source: CVE

April 10th, 2025 (11 days ago)

CVE-2024-25696

Stored XSS in Portal for ArcGIS

Description: There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when accessing the page editor an image will render in the victim’s browser. The privileges required to execute this attack are high.

CVSS: MEDIUM (4.8)

EPSS Score: 0.07%

SSVC Exploitation: none

Source: CVE

April 10th, 2025 (11 days ago)

CVE-2024-25694

BUG-000163019 - Stored XSS in Portal for ArcGIS

Description: There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the Layer Showcase application configuration which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.

CVSS: MEDIUM (4.8)

EPSS Score: 0.04%

SSVC Exploitation: none

Source: CVE

April 10th, 2025 (11 days ago)

CVE-2024-25692

BUG-000154722 - Cross-site request forgery (CSRF) issue in Portal for ArcGIS

Description: There is a cross-site-request forgery vulnerability in Esri Portal for ArcGIS Versions 11.1 and below that may in some cases allow a remote, unauthenticated attacker to trick an authorized user into executing unwanted actions via a crafted form. The impact to Confidentiality and Integrity vectors is limited and of low severity.

CVSS: MEDIUM (5.4)

EPSS Score: 0.06%

SSVC Exploitation: none

Source: CVE

April 10th, 2025 (11 days ago)

CVE-2024-25691

BUG-000165286 - Reflected XSS in Portal for ArcGIS

Description: There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

CVSS: MEDIUM (6.1)

EPSS Score: 0.06%

SSVC Exploitation: none

Source: CVE

April 10th, 2025 (11 days ago)

CVE-2024-2995

NUUO Camera deletefile.php denial of service

Description: A vulnerability was found in NUUO Camera up to 20240319 and classified as problematic. This issue affects some unknown processing of the file /deletefile.php. The manipulation of the argument filename leads to denial of service. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-258197 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Eine problematische Schwachstelle wurde in NUUO Camera bis 20240319 gefunden. Dies betrifft einen unbekannten Teil der Datei /deletefile.php. Mittels dem Manipulieren des Arguments filename mit unbekannten Daten kann eine denial of service-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (5.4)

EPSS Score: 0.05%

SSVC Exploitation: poc

Source: CVE

April 10th, 2025 (11 days ago)

CVE-2024-29179

phpMyFAQ Stored Cross-site Scripting at File Attachments

Description: phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. An attacker with admin privileges can upload an attachment containing JS code without extension and the application will render it as HTML which allows for XSS attacks.

CVSS: MEDIUM (4.3)

EPSS Score: 0.08%

SSVC Exploitation: none

Source: CVE

April 10th, 2025 (11 days ago)

CVE-2024-25709

Self-XSS style in move item dialog

Description: There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 11.2 and below that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.

CVSS: MEDIUM (6.1)

EPSS Score: 0.07%

Source: CVE

April 10th, 2025 (11 days ago)

CVE-2024-25708

Persistent XSS when creating new application using Web App Builder

Description: There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Web App Builder versions 10.9.1 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.

CVSS: MEDIUM (4.8)

EPSS Score: 0.06%

SSVC Exploitation: none

Source: CVE

April 10th, 2025 (11 days ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-25698	Reflected XSS in Portal for ArcGIS Description: There is a reflected cross site scripting vulnerability in the home application in Esri Portal for ArcGIS 11.1 and below on Windows and Linux that allows a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. CVSS: MEDIUM (6.1) EPSS Score: 0.09% SSVC Exploitation: none Source: CVE April 10th, 2025 (11 days ago)
CVE-2024-25697	Stored XSS in Portal for ArcGIS Description: There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which when opening an authenticated users bio page will render an image in the victims browser. The privileges required to execute this attack are low. CVSS: MEDIUM (5.4) EPSS Score: 0.08% SSVC Exploitation: none Source: CVE April 10th, 2025 (11 days ago)
CVE-2024-25696	Stored XSS in Portal for ArcGIS Description: There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when accessing the page editor an image will render in the victim’s browser. The privileges required to execute this attack are high. CVSS: MEDIUM (4.8) EPSS Score: 0.07% SSVC Exploitation: none Source: CVE April 10th, 2025 (11 days ago)
CVE-2024-25694	BUG-000163019 - Stored XSS in Portal for ArcGIS Description: There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the Layer Showcase application configuration which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. CVSS: MEDIUM (4.8) EPSS Score: 0.04% SSVC Exploitation: none Source: CVE April 10th, 2025 (11 days ago)
CVE-2024-25692	BUG-000154722 - Cross-site request forgery (CSRF) issue in Portal for ArcGIS Description: There is a cross-site-request forgery vulnerability in Esri Portal for ArcGIS Versions 11.1 and below that may in some cases allow a remote, unauthenticated attacker to trick an authorized user into executing unwanted actions via a crafted form. The impact to Confidentiality and Integrity vectors is limited and of low severity. CVSS: MEDIUM (5.4) EPSS Score: 0.06% SSVC Exploitation: none Source: CVE April 10th, 2025 (11 days ago)
CVE-2024-25691	BUG-000165286 - Reflected XSS in Portal for ArcGIS Description: There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. CVSS: MEDIUM (6.1) EPSS Score: 0.06% SSVC Exploitation: none Source: CVE April 10th, 2025 (11 days ago)
CVE-2024-2995	NUUO Camera deletefile.php denial of service Description: A vulnerability was found in NUUO Camera up to 20240319 and classified as problematic. This issue affects some unknown processing of the file /deletefile.php. The manipulation of the argument filename leads to denial of service. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-258197 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Eine problematische Schwachstelle wurde in NUUO Camera bis 20240319 gefunden. Dies betrifft einen unbekannten Teil der Datei /deletefile.php. Mittels dem Manipulieren des Arguments filename mit unbekannten Daten kann eine denial of service-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung. CVSS: MEDIUM (5.4) EPSS Score: 0.05% SSVC Exploitation: poc Source: CVE April 10th, 2025 (11 days ago)
CVE-2024-29179	phpMyFAQ Stored Cross-site Scripting at File Attachments Description: phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. An attacker with admin privileges can upload an attachment containing JS code without extension and the application will render it as HTML which allows for XSS attacks. CVSS: MEDIUM (4.3) EPSS Score: 0.08% SSVC Exploitation: none Source: CVE April 10th, 2025 (11 days ago)
CVE-2024-25709	Self-XSS style in move item dialog Description: There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 11.2 and below that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. CVSS: MEDIUM (6.1) EPSS Score: 0.07% Source: CVE April 10th, 2025 (11 days ago)
CVE-2024-25708	Persistent XSS when creating new application using Web App Builder Description: There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Web App Builder versions 10.9.1 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. CVSS: MEDIUM (4.8) EPSS Score: 0.06% SSVC Exploitation: none Source: CVE April 10th, 2025 (11 days ago)