CVE-2025-57876

EPSS 0.21%
Veröffentlicht 29.09.2025 19:15:36
Zuletzt bearbeitet 17.10.2025 14:15:05
Quelle psirt@esri.com
CVE-Watchlists
Login
Unerledigt
Login

Stored XSS vulnerability in Portal for ArcGIS

There is a stored Cross-site Scripting vulnerability in  Esri Portal for ArcGIS  11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 20 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Esri ≫ Portal For Arcgis Version10.9.1 Update-

Esri ≫ Portal For Arcgis Version10.9.1 Updatesecurity_2025_update1

Esri ≫ Portal For Arcgis Version10.9.1 Updatesecurity_2025_update2

Esri ≫ Portal For Arcgis Version11.0

Esri ≫ Portal For Arcgis Version11.1 Update-

Esri ≫ Portal For Arcgis Version11.1 Updatesecurity_2024_update1

Esri ≫ Portal For Arcgis Version11.1 Updatesecurity_2024_update2

Esri ≫ Portal For Arcgis Version11.1 Updatesecurity_2025_update1

Esri ≫ Portal For Arcgis Version11.1 Updatesecurity_2025_update2

Esri ≫ Portal For Arcgis Version11.2 Update-

Esri ≫ Portal For Arcgis Version11.2 Updatesecurity_2024_update1

Esri ≫ Portal For Arcgis Version11.2 Updatesecurity_2024_update2

Esri ≫ Portal For Arcgis Version11.2 Updatesecurity_2025_update1

Esri ≫ Portal For Arcgis Version11.2 Updatesecurity_2025_update2

Esri ≫ Portal For Arcgis Version11.3 Update-

Esri ≫ Portal For Arcgis Version11.3 Updatesecurity_2025_update1

Esri ≫ Portal For Arcgis Version11.3 Updatesecurity_2025_update2

Esri ≫ Portal For Arcgis Version11.4 Update-

Esri ≫ Portal For Arcgis Version11.4 Updatesecurity_2025_update1

Esri ≫ Portal For Arcgis Version11.4 Updatesecurity_2025_update2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.21%	0.108

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
psirt@esri.com	4.8	1.7	2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-57876

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-57876

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-57876

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-57876