CVE-2024-25706 MEDIUM

CVE-2024-25706: HTMLi at createFolder Content Injection

Vendor Esri
Product Portal for ArcGIS
Weakness CWE-94 · Code injection
Published April 4, 2024
Last update April 10, 2025

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

There is an HTML injection vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a message that may entice an unsuspecting victim to visit an arbitrary website. This could simplify phishing attacks.

Key dates

02Disclosure timeline

April 4, 2024 CVE published
April 10, 2025 Record updated