CVE-2024-25698 MEDIUM

CVE-2024-25698: Reflected XSS in Portal for ArcGIS

Vendor Esri

Product Portal for ArcGIS

Weakness CWE-79 · XSS

Published April 4, 2024

Last update April 10, 2025

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

There is a reflected cross site scripting vulnerability in the home application in Esri Portal for ArcGIS 11.1 and below on Windows and Linux that allows a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

Key dates

02Disclosure timeline

April 4, 2024 CVE published

April 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-25698 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-3197 The Plus Addons for Elementor <= 5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes CVE-2019-25390 Smoothwall Express 3.1 'interfaces.cgi' Cross-Site Scripting CVE-2023-47690 WordPress Additional Order Filters for WooCommerce Plugin <= 1.10 is vulnerable to Cross Site Scripting (XSS) CVE-2024-8136 SourceCodester Record Management System sort1_user.php cross site scripting CVE-2023-46734 Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters