CVE-2024-25708 MEDIUM

CVE-2024-25708: Persistent XSS when creating new application using Web App Builder

Vendor Esri
Product ArcGIS Enterprise Web App Builder
Weakness CWE-79 · XSS
Published April 4, 2024
Last update April 10, 2025

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Web App Builder versions 10.9.1 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.

Key dates

02Disclosure timeline

April 4, 2024 CVE published
April 10, 2025 Record updated

Related vulnerabilities

04Related CVE