CVE-2023-25837

There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target's browser.  The privileges required to execute this attack are high.    The impact to Confidentiality, Integrity and Availability are High.
Configurations

Configuration 1 (hide)

cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*

History

08 Oct 2024, 17:15

Type Values Removed Values Added
Summary (en) There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target's browser.  The privileges required to execute this attack are high.    The impact to Confidentiality, Integrity and Availability are High. (en) There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target's browser.  The privileges required to execute this attack are high.    The impact to Confidentiality, Integrity and Availability are High.

29 Jan 2024, 22:15

Type Values Removed Values Added
Summary There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target's browser.  The privileges required to execute this attack are high.    There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target's browser.  The privileges required to execute this attack are high.    The impact to Confidentiality, Integrity and Availability are High.

29 Nov 2023, 20:15

Type Values Removed Values Added
Summary There is a Cross-site Scripting vulnerability in Esri Portal Sites in versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser.  The privileges required to execute this attack are high.  No security boundary can be crossed scope is unchanged, If an admin account fell victim to this attack Confidentiality, Integrity and Availability are all High.  There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target's browser.  The privileges required to execute this attack are high.   

07 Aug 2023, 17:15

Type Values Removed Values Added
Summary There is a Cross-site Scripting vulnerability in Esri Portal Sites in versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser.  The privileges required to execute this attack are high. There is a Cross-site Scripting vulnerability in Esri Portal Sites in versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser.  The privileges required to execute this attack are high.  No security boundary can be crossed scope is unchanged, If an admin account fell victim to this attack Confidentiality, Integrity and Availability are all High. 

04 Aug 2023, 17:21

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 5.4
v2 : unknown
v3 : 4.8

31 Jul 2023, 15:10

Type Values Removed Values Added
References (MISC) https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-enterprise-sites-security-patch-is-now-available/ - (MISC) https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-enterprise-sites-security-patch-is-now-available/ - Vendor Advisory
CPE cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 6.8
v2 : unknown
v3 : 5.4
First Time Esri
Esri portal For Arcgis

21 Jul 2023, 04:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-21 04:15

Updated : 2024-10-08 17:15


NVD link : CVE-2023-25837

Mitre link : CVE-2023-25837

CVE.ORG link : CVE-2023-25837


JSON object : View

Products Affected

esri

  • portal_for_arcgis
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')