CVE-2024-25694

MEDIUM

4.8

Descripcion

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the Layer Showcase application configuration which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.

Detalles CVE

Puntuacion CVSS v3.14.8

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosHIGH

Interaccion usuarioREQUIRED

Publicado10/4/2024

Ultima modificacion4/10/2025

Fuentenvd

Avistamientos honeypot0

Productos afectados

esri:portal_for_arcgis

Debilidades (CWE)

CWE-79

Referencias

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/(psirt@esri.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.