cbcvebase.
CVE-2023-25835
published 2023-07-21

CVE-2023-25835: There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS Sites versions 11.1 and below that may allow a remote, authenticated…

PriorityP337high8.4CVSS 3.1
AVNACLPRHUIRSCCHIHAH
EPSS
0.69%
48.0th percentile
There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS Sites versions 11.1 and below that may allow a remote, authenticated attacker with high‑privileged access to create a crafted link that is persisted within the site configuration. When accessed by a victim, the stored payload may execute arbitrary JavaScript code in the victim’s browser. Successful exploitation could allow the attacker to access sensitive user data and session information, alter trusted site content and user actions, and disrupt normal site functionality, resulting in a high impact to confidentiality, integrity, and availability.

Affected

2 ranges
VendorProductVersion rangeFixed in
esriportal_for_arcgis10.8.1 – 11.1
esriportal_for_arcgis_sitesAll – 11.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.