CVE-2024-25696 MEDIUM

CVE-2024-25696: Stored XSS in Portal for ArcGIS

Vendor Esri

Product Portal for ArcGIS

Weakness CWE-79 · XSS

Published April 4, 2024

Last update April 10, 2025

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when accessing the page editor an image will render in the victim’s browser. The privileges required to execute this attack are high.

Key dates

02Disclosure timeline

April 4, 2024 CVE published

April 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-25696

Related vulnerabilities

04Related CVE

CVE-2024-31087 WordPress pageMash plugin <= 1.3.0 - Cross Site Scripting (XSS) vulnerability CVE-2025-68878 WordPress Advanced Custom CSS plugin <= 1.1.0 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2023-54358 WordPress adivaha Travel Plugin 2.3 Reflected XSS via isMobile CVE-2021-24239 Pie Register < 3.7.0.1 - Reflected Cross-Site Scripting (XSS) CVE-2024-11204 ForumWP – Forum & Discussion Board <= 2.1.2 - Reflected Cross-Site Scripting via url Parameter