CVE-2022-38190 MEDIUM

CVE-2022-38190: Stored cross-site scripting vulnerability in Esri Portal for ArcGIS Configurable Apps

Vendor Esri

Product Portal for ArcGIS

Weakness CWE-79 · XSS

Published August 15, 2022

Last update April 10, 2025

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS configurable apps may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser

Key dates

02Disclosure timeline

August 15, 2022 CVE published

April 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-38190

Related vulnerabilities

04Related CVE

CVE-2024-1450 Shariff Wrapper <= 4.6.10 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-51861 WordPress EventPress plugin <= 1.0.0 - Stored Cross Site Scripting (XSS) vulnerability CVE-2024-3525 Campcodes Online Event Management System index.php cross site scripting CVE-2023-2121 Vault’s KV Diff Viewer Allowed for HTML Injection CVE-2024-4707 Materialis Companion <= 1.3.41 - Authenticated (Contributor+) Store Cross-Site Scripting via materialis_contact_form Shortcode