CVE-2022-38186 HIGH

CVE-2022-38186

Vendor Esri

Product Portal for ArcGIS

Weakness CWE-79 · XSS

Published August 15, 2022

Last update April 10, 2025

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

Key dates

02Disclosure timeline

August 15, 2022 CVE published

April 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-38186 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2021-24983 Asset CleanUp < 1.3.8.5 - Reflected Cross-Site Scripting via AJAX Action CVE-2021-24673 Appointment Hour Booking < 1.3.16 - Authenticated Stored Cross-Site Scripting CVE-2025-27002 WordPress CountDown With Image or Video Background plugin <= 1.5 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2026-57338 WordPress ARForms plugin <= 7.1.2 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2014-125110 wp-file-upload Plugin wfu_ajaxactions.php wfu_ajax_action_callback cross site scripting