CVE-2023-25837 HIGH

CVE-2023-25837: BUG-000133088 - ArcGIS Enterprise site builder is subject to stored XSS.

Vendor Esri
Product Portal for ArcGIS Sites
Weakness CWE-79 · XSS
Published July 21, 2023
Last update February 6, 2026
View on NVD All CVEs

CVSS base score

8.4/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

There is a Cross‑Site Scripting (XSS) vulnerability in Esri ArcGIS Enterprise Sites versions 10.9 and below that may allow a remote, authenticated attacker to create a crafted link which, when clicked by a victim, could result in the execution of arbitrary JavaScript code in the target’s browser. Exploitation requires high‑privileged authenticated access. Successful exploitation may allow the attacker to access sensitive session data, manipulate trusted content, and disrupt normal application functionality, resulting in a high impact to confidentiality, integrity, and availability.

Key dates

02Disclosure timeline

July 21, 2023 CVE published
February 6, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-13975 Contact Form 7 with ChatWork <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'api_token' and 'roomid' Settings CVE-2024-43938 WordPress Name Directory plugin <= 1.29.0 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-7300 Bolt CMS Showcase Creation showcases cross site scripting CVE-2026-0670 Stored XSS through a system message and a user-provided parameter in ProofreadPage CVE-2025-13058 soerennb eXtplorer Filename cross site scripting