CVE-2024-25700 MEDIUM

CVE-2024-25700: Persistent XSS in URL added to a shared map

Vendor Esri

Product ArcGIS Enterprise Builder

Weakness CWE-79 · XSS

Published April 4, 2024

Last update May 12, 2025

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Web App Builder versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in a web map link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.

Key dates

02Disclosure timeline

April 4, 2024 CVE published

May 12, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-25700

Related vulnerabilities

04Related CVE

CVE-2025-53932 WeGIA vulnerable to Reflected Cross-Site Scripting via endpoint 'cadastro_adotante.php' parameter 'cpf' CVE-2025-49137 Hax CMS Stored Cross-Site Scripting vulnerability CVE-2024-4684 Campcodes Complete Web-Based School Management System exam_timetable_grade_wise.php cross site scripting CVE-2024-30199 WordPress WP-Lister Lite for Amazon plugin <= 2.6.8 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2022-1717 Custom Share Buttons with Floating Sidebar < 4.2 - Admin+ Stored XSS