CVE-2024-25697 MEDIUM

CVE-2024-25697: Stored XSS in Portal for ArcGIS

Vendor Esri

Product Portal for ArcGIS

Weakness CWE-79 · XSS

Published April 4, 2024

Last update April 10, 2025

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which when opening an authenticated users bio page will render an image in the victims browser. The privileges required to execute this attack are low.

Key dates

02Disclosure timeline

April 4, 2024 CVE published

April 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-25697

Related vulnerabilities

04Related CVE

CVE-2021-24518 WPFront Notification Bar < 2.0.0.07176 - Authenticated Stored XSS CVE-2023-6013 H2O Local File Include CVE-2024-3343 Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 2.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes CVE-2023-32236 WordPress Booking Ultra Pro Plugin <= 1.1.8 is vulnerable to Cross Site Scripting (XSS) CVE-2023-43657 Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration