CVE-2024-25694

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise versions 10.8.1 – 10.9.1 that may allow a remote, authenticated attacker to create a crafted link that is stored in the Layer Showcase application configuration which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
Configurations

Configuration 1 (hide)

cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*

History

16 Oct 2024, 21:00

Type Values Removed Values Added
References () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/ - () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/ - Vendor Advisory
First Time Esri
Esri portal For Arcgis
CPE cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*

07 Oct 2024, 17:48

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de cross-site scripting almacenado en Esri Portal for ArcGIS Enterprise versiones 10.8.1 – 10.9.1 que puede permitir que un atacante remoto autenticado cree un vínculo manipulado que se almacena en la configuración de la aplicación Layer Showcase y que, al hacer clic en él, podría ejecutar código JavaScript arbitrario en el navegador de la víctima. Los privilegios necesarios para ejecutar este ataque son altos. El ataque podría revelar un token privilegiado que puede hacer que el atacante obtenga el control total del Portal.

04 Oct 2024, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-04 18:15

Updated : 2024-10-16 21:00


NVD link : CVE-2024-25694

Mitre link : CVE-2024-25694

CVE.ORG link : CVE-2024-25694


JSON object : View

Products Affected

esri

  • portal_for_arcgis
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')