CVE-2023-25835: BUG-000153659 ArcGIS Enterprise Sites has a stored XSS vulnerability

8.4 CVSS

Description

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.8.1 – 11.1 that may allow a remote, authenticated attacker to create a crafted link that is stored in the site configuration which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high. The impact to Confidentiality, Integrity and Availability are High.

Classification

CVE ID: CVE-2023-25835

CVSS Base Severity: HIGH

CVSS Base Score: 8.4

Affected Products

Vendor: Esri

Product: Portal for ArcGIS Sites

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 28.43% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-enterprise-sites-security-patch-is-now-available/

Timeline

2024-12-04 00:11:03 UTC
CVE

BUG-000153659 ArcGIS Enterprise Sites has a stored XSS vulnerability