Vulnerability Description
There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS Sites versions 11.1 and below that may allow a remote, authenticated attacker with high‑privileged access to create a crafted link that is persisted within the site configuration. When accessed by a victim, the stored payload may execute arbitrary JavaScript code in the victim’s browser. Successful exploitation could allow the attacker to access sensitive user data and session information, alter trusted site content and user actions, and disrupt normal site functionality, resulting in a high impact to confidentiality, integrity, and availability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Esri | Portal For Arcgis | >= 10.8.1, <= 11.1 |
Related Weaknesses (CWE)
References
- https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-forVendor Advisory
- https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-forVendor Advisory
FAQ
What is CVE-2023-25835?
CVE-2023-25835 is a vulnerability with a CVSS score of 8.4 (HIGH). There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS Sites versions 11.1 and below that may allow a remote, authenticated attacker with high‑privileged access to create...
How severe is CVE-2023-25835?
CVE-2023-25835 has been rated HIGH with a CVSS base score of 8.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-25835?
Check the references section above for vendor advisories and patch information. Affected products include: Esri Portal For Arcgis.