Vulnerability Description
There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which onmouseover wont execute but could potentially render an image in the victims browser. The privileges required to execute this attack are high.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Esri | Arcgis Server | >= 10.8.1, < 11.1 |
| Linux | Linux Kernel | - |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-servRelease NotesVendor Advisory
- https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-servRelease NotesVendor Advisory
FAQ
What is CVE-2023-25840?
CVE-2023-25840 is a vulnerability with a CVSS score of 3.4 (LOW). There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which onmouseover wont execute but co...
How severe is CVE-2023-25840?
CVE-2023-25840 has been rated LOW with a CVSS base score of 3.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-25840?
Check the references section above for vendor advisories and patch information. Affected products include: Esri Arcgis Server, Linux Linux Kernel, Microsoft Windows.