CVE-2024-25709

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 10.8.1 – 1121 that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.
Configurations

No configuration.

History

10 Oct 2024, 12:57

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de Cross-site Scripting Almacenado en Esri Portal for ArcGIS versiones 10.8.1 – 1121 que puede permitir que un atacante remoto autenticado cree un vínculo manipulado que se puede guardar como una nueva ubicación al mover un elemento existente, lo que potencialmente ejecutará código JavaScript arbitrario en el navegador de la víctima. Los privilegios necesarios para ejecutar este ataque son altos.

08 Oct 2024, 17:15

Type Values Removed Values Added
References
  • () https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/ -
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1
CWE CWE-79
Summary (en) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because this item is scheduled to be patched at a future time. (en) There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 10.8.1 – 1121 that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.

25 Apr 2024, 19:15

Type Values Removed Values Added
References
  • {'url': 'https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/', 'source': 'psirt@esri.com'}
Summary
  • (es) Existe una vulnerabilidad de Cross-Site Scripting almacenado en Esri Portal for ArcGIS versiones 10.8.1 – 1121 que puede permitir que un atacante remoto y autenticado cree un enlace manipulado que se puede guardar como una nueva ubicación al mover un elemento existente que potencialmente se ejecutará. código JavaScript arbitrario en el navegador de la víctima. Los privilegios necesarios para ejecutar este ataque son elevados.
Summary (en) There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 10.8.1 – 1121 that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.  (en) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because this item is scheduled to be patched at a future time.
CWE CWE-79
CVSS v2 : unknown
v3 : 6.1
v2 : unknown
v3 : unknown

19 Apr 2024, 23:15

Type Values Removed Values Added
References
  • {'url': 'https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2/', 'source': 'psirt@esri.com'}
  • () https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/ -
Summary
  • (es) Existe una vulnerabilidad de Cross-Site Scripting almacenado en Esri Portal for ArcGIS versiones 10.8.1 – 1121 que puede permitir que un atacante remoto y autenticado cree un enlace manipulado que se puede guardar como una nueva ubicación al mover un elemento existente que potencialmente se ejecutará. código JavaScript arbitrario en el navegador de la víctima. Los privilegios necesarios para ejecutar este ataque son elevados.

04 Apr 2024, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-04-04 18:15

Updated : 2024-10-10 12:57


NVD link : CVE-2024-25709

Mitre link : CVE-2024-25709

CVE.ORG link : CVE-2024-25709


JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')