CVE-2024-38039

There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser (no stateful change made or customer data rendered).
Configurations

Configuration 1 (hide)

cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*

History

15 Oct 2024, 14:34

Type Values Removed Values Added
First Time Esri
Esri portal For Arcgis
CWE CWE-79
CPE cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*
References () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/ - () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/ - Vendor Advisory

07 Oct 2024, 17:48

Type Values Removed Values Added
Summary
  • (es) Hay una vulnerabilidad de inyección HTML en Esri Portal for ArcGIS versiones 11.0 y anteriores que puede permitir que un atacante remoto y autenticado cree un enlace diseñado que, al hacer clic, podría generar HTML arbitrario en el navegador de la víctima (no se realizan cambios con estado ni se representan datos del cliente).

04 Oct 2024, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-04 18:15

Updated : 2024-10-15 14:34


NVD link : CVE-2024-38039

Mitre link : CVE-2024-38039

CVE.ORG link : CVE-2024-38039


JSON object : View

Products Affected

esri

  • portal_for_arcgis
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)