CVE-2023-25835 HIGH

CVE-2023-25835: BUG-000153659 ArcGIS Enterprise Sites has a stored XSS vulnerability

Vendor Esri

Product Portal for ArcGIS Sites

Weakness CWE-79 · XSS

Published July 20, 2023

Last update February 6, 2026

View on NVD All CVEs

CVSS base score

8.4/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS Sites versions 11.1 and below that may allow a remote, authenticated attacker with high‑privileged access to create a crafted link that is persisted within the site configuration. When accessed by a victim, the stored payload may execute arbitrary JavaScript code in the victim’s browser. Successful exploitation could allow the attacker to access sensitive user data and session information, alter trusted site content and user actions, and disrupt normal site functionality, resulting in a high impact to confidentiality, integrity, and availability.

Key dates

02Disclosure timeline

July 20, 2023 CVE published

February 6, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-25835 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2023-25835: BUG-000153659 ArcGIS Enterprise Sites has a stored XSS vulnerability

01Description

02Disclosure timeline

03References

04Related CVE