CVE-2023-25840 LOW

CVE-2023-25840: BUG-000154070 Stored XSS issue in the ArcGIS REST Services directory

Vendor Esri

Product ArcGIS Enterprise Server

Weakness CWE-79 · XSS

Published July 21, 2023

Last update April 10, 2025

View on NVD All CVEs

CVSS base score

3.4/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which onmouseover wont execute but could potentially render an image in the victims browser. The privileges required to execute this attack are high.

Key dates

02Disclosure timeline

July 21, 2023 CVE published

April 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-25840 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2026-6690 LifePress <= 2.2.2 - Unauthenticated Stored Cross-Site Scripting via 'n' Parameter via lp_update_mds AJAX Action CVE-2025-64167 Combodo iTop vulnerable to reflected XSS in webservices/export.php CVE-2026-6725 WPC Smart Messages for WooCommerce <= 4.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute CVE-2025-22578 WordPress WP Cookie plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability CVE-2024-1506 Prime Slider – Addons For Elementor <= 3.13.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Fiestar Widget