CVE-2024-38040 HIGH

CVE-2024-38040: BUG-000167984 - Portal for ArcGIS has a Local file inclusion (LFI) vulnerability

Vendor Esri
Product Portal for ArcGIS
Weakness CWE-73
Published October 4, 2024
Last update April 10, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files.

Key dates

02Disclosure timeline

October 4, 2024 CVE published
April 10, 2025 Record updated