CVE-2022-38206 MEDIUM

CVE-2022-38206: Reflected XSS vulnerability in Portal for ArcGIS (10.9.1, 10.8.1 and 10.7.1 only)

Vendor Esri
Product ArcGIS Enterprise
Weakness CWE-79 · XSS
Published December 30, 2022
Last update April 10, 2025
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victim’s browser.

Key dates

02Disclosure timeline

December 30, 2022 CVE published
April 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-1082 Mindskip xzs-mysql 学之思开源考试系统 Exam Edit edit cross site scripting CVE-2026-1971 Edimax BR-6288ACL wiz_WISP24gmanual.asp wiz_WISP24gmanual cross site scripting CVE-2023-20068 Cisco Prime Infrastructure Reflected Cross-Site Scripting Vulnerability CVE-2023-37979 WordPress Ninja Forms Plugin <= 3.6.25 is vulnerable to Cross Site Scripting (XSS) CVE-2025-0839 ZoomSounds <= 6.91 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode