CVE-2022-38210 MEDIUM

CVE-2022-38210: HTML injection in accountswitcher-callback.html (10.9.1, 10.8.1 and 10.7.1 only)

Vendor Esri
Product ArcGIS Enterprise
Weakness CWE-80 · XSS · basic
Published December 30, 2022
Last update April 10, 2025

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

There is a reflected HTML injection vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below that may allow a remote, unauthenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser.

Key dates

02Disclosure timeline

December 30, 2022 CVE published
April 10, 2025 Record updated

Related vulnerabilities

04Related CVE