Vulnerability Description
There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 11.0 and below on Windows and Linux platforms that may allow a remote, unauthenticated attacker to create crafted content which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. Mitigation: Disable anonymous access to ArcGIS Feature services with edit capabilities.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Esri | Arcgis Server | >= 10.8.1, < 11.1 |
| Linux | Linux Kernel | - |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-servPatchVendor Advisory
- https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-servPatchVendor Advisory
FAQ
What is CVE-2023-25841?
CVE-2023-25841 is a vulnerability with a CVSS score of 6.1 (MEDIUM). There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 11.0 and below on Windows and Linux platforms that may allow a remote, unauthenticated attacker to create crafted co...
How severe is CVE-2023-25841?
CVE-2023-25841 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-25841?
Check the references section above for vendor advisories and patch information. Affected products include: Esri Arcgis Server, Linux Linux Kernel, Microsoft Windows.