CVE-2024-25702 MEDIUM

CVE-2024-25702: BUG-000160599 - Stored XSS in Portal for ArcGIS Web App Builder

Vendor Esri
Product ArcGIS Enterprise Web App Builder
Weakness CWE-79 · XSS
Published October 4, 2024
Last update April 10, 2025
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the site configuration which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.

Key dates

02Disclosure timeline

October 4, 2024 CVE published
April 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-13462 WP Wiki Tooltip <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2026-2440 SurveyJS: Drag & Drop Form Builder <= 2.5.3 - Unauthenticated Stored Cross-Site Scripting CVE-2026-4332 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab CVE-2025-53933 WeGIA vulnerable to Stored Cross-Site Scripting via endpoint 'adicionar_enfermidade.php' parameter 'nome' CVE-2024-9210 MC4WP: Mailchimp Top Bar <= 1.6.0 - Reflected Cross-Site Scripting