CVE-2023-25840

LOW

3.4

Descricao

There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which onmouseover wont execute but could potentially render an image in the victims browser. The privileges required to execute this attack are high.

Detalhes CVE

Pontuacao CVSS v3.13.4

SeveridadeLOW

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosHIGH

Interacao do usuarioREQUIRED

Publicado7/21/2023

Ultima modificacao4/10/2025

Fontenvd

Avistamentos honeypot0

Produtos afetados

esri:arcgis_serverlinux:linux_kernelmicrosoft:windows

Fraquezas (CWE)

CWE-79

Referencias

https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-security-2023-update-1-patch-available/(psirt@esri.com)

https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-security-2023-update-1-patch-available/(af854a3a-2127-422b-91ae-364da2661108)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.