CVE-2024-25695 HIGH

CVE-2024-25695: concatenated errors resulting in cross site scripting and frame injection issues.

Vendor Esri
Product Portal for ArcGIS
Weakness CWE-79 · XSS
Published April 4, 2024
Last update April 10, 2025

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.2 and below that may allow a remote, authenticated attacker to provide input that is not sanitized properly and is rendered in error messages. The are no privileges required to execute this attack.

Key dates

02Disclosure timeline

April 4, 2024 CVE published
April 10, 2025 Record updated