CVE-2023-25840
LOWArcGIS Server < 11.1 - Authenticated Stored Cross-Site Scripting via Crafted Link
Title source: llmDescription
There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which onmouseover wont execute but could potentially render an image in the victims browser. The privileges required to execute this attack are high.
References (1)
Core 1
Core References
Release Notes, Vendor Advisory
https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-security-2023-update-1-patch-available/
Scores
CVSS v3
3.4
EPSS
0.0015
EPSS Percentile
35.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
esri/arcgis_server
10.8.1 - 11.1
Published
Jul 21, 2023
Tracked Since
Feb 18, 2026