CVE-2023-25835

HIGH

Esri Portal for ArcGIS 10.8.1-11.1 - Authenticated Stored Cross-Site Scripting via Site Configuration Link

Title source: llm

Description

There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS Sites versions 11.1 and below that may allow a remote, authenticated attacker with high‑privileged access to create a crafted link that is persisted within the site configuration. When accessed by a victim, the stored payload may execute arbitrary JavaScript code in the victim’s browser. Successful exploitation could allow the attacker to access sensitive user data and session information, alter trusted site content and user actions, and disrupt normal site functionality, resulting in a high impact to confidentiality, integrity, and availability.

References (1)

Core 1

Core References

Vendor Advisory

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-enterprise-sites-security-patch-is-now-available/

Scores

CVSS v3 8.4

EPSS 0.0038

EPSS Percentile 59.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-79

Status published

Products (1)

esri/portal_for_arcgis 10.8.1 - 11.1

Published Jul 21, 2023

Tracked Since Feb 18, 2026