CVE-2023-25836 MEDIUM

CVE-2023-25836: BUG-000135364 XSS in 10.8.1 sites builder iframe source

Vendor Esri

Product Portal for ArcGIS Sites

Weakness CWE-79 · XSS

Published July 21, 2023

Last update April 10, 2025

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

There is a Cross-site Scripting vulnerability in Esri Portal for ArcGIS Sites in versions 10.9 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are low.

Key dates

02Disclosure timeline

July 21, 2023 CVE published

April 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-25836 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-54172 Stored Cross-Site Scripting in QuickCMS CVE-2024-8208 nafisulbari/itsourcecode Insurance Management System editClient.php cross site scripting CVE-2024-32469 Decidim has cross-site scripting (XSS) in the pagination CVE-2025-14112 Snillrik Restaurant <= 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'menu_style' Shortcode Attribute CVE-2026-24614 WordPress Flex QR Code Generator plugin <= 1.2.10 - Cross Site Scripting (XSS) vulnerability