CVE-2023-25837: BUG-000133088 - ArcGIS Enterprise site builder is subject to stored XSS.

8.4 CVSS

Description

There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target's browser. The privileges required to execute this attack are high.

The impact to Confidentiality, Integrity and Availability are High.

Classification

CVE ID: CVE-2023-25837

CVSS Base Severity: HIGH

CVSS Base Score: 8.4

Affected Products

Vendor: Esri

Product: Portal for ArcGIS Sites

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 28.43% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-enterprise-sites-security-patch-is-now-available/

Timeline

2024-12-04 00:11:03 UTC
CVE

BUG-000133088 - ArcGIS Enterprise site builder is subject to stored XSS.