Vulnerability Description
There is a Cross‑Site Scripting (XSS) vulnerability in Esri ArcGIS Enterprise Sites versions 10.9 and below that may allow a remote, authenticated attacker to create a crafted link which, when clicked by a victim, could result in the execution of arbitrary JavaScript code in the target’s browser. Exploitation requires high‑privileged authenticated access. Successful exploitation may allow the attacker to access sensitive session data, manipulate trusted content, and disrupt normal application functionality, resulting in a high impact to confidentiality, integrity, and availability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Esri | Portal For Arcgis | >= 10.8.1, <= 10.9 |
Related Weaknesses (CWE)
References
- https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-forVendor Advisory
- https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-forVendor Advisory
FAQ
What is CVE-2023-25837?
CVE-2023-25837 is a vulnerability with a CVSS score of 8.4 (HIGH). There is a Cross‑Site Scripting (XSS) vulnerability in Esri ArcGIS Enterprise Sites versions 10.9 and below that may allow a remote, authenticated attacker to create a crafted link which, when clicked...
How severe is CVE-2023-25837?
CVE-2023-25837 has been rated HIGH with a CVSS base score of 8.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-25837?
Check the references section above for vendor advisories and patch information. Affected products include: Esri Portal For Arcgis.