5.4
CVE-2024-25697
- EPSS 0.38%
- Veröffentlicht 04.04.2024 18:15:11
- Zuletzt bearbeitet 10.04.2025 19:15:57
- Quelle psirt@esri.com
- CVE-Watchlists
- Unerledigt
LoginStored XSS in Portal for ArcGIS
There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which when opening an authenticated users bio page will render an image in the victims browser. The privileges required to execute this attack are low.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Esri ≫ Portal For Arcgis Version <= 11.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.38% | 0.293 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| psirt@esri.com | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/