Lucene search

EsriCVE-2024-25697

HistoryApr 04, 2024 - 6:15 p.m.

CVE-2024-25697

2024-04-0418:15:11

CWE-79

Esri

web.nvd.nist.gov

cve-2024-25697

cross-site scripting

portal for arcgis

remote attacker

authenticated user

crafted link

bio page

image rendering

low privileges.

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

6.5

Confidence

High

EPSS

Percentile

9.0%

JSON

There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions <=11.1 that may allow a remote, authenticated attacker to create a crafted link which when opening an authenticated users bio page will render an image in the victims browser. The privileges required to execute this attack are low.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Windows",
      "Linux"
    ],
    "product": "Portal",
    "vendor": "Esri",
    "versions": [
      {
        "lessThanOrEqual": "<=11.1",
        "status": "affected",
        "version": "all",
        "versionType": "11.1"
      }
    ]
  }
]

References

www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/