Esri Portal for ArcGIS Enterprise Sites Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Esri Portal for ArcGIS Enterprise Sites, affecting versions 10.9.1 through 11.4. This vulnerability allows a remote, authenticated attacker to inject a malicious file containing an XSS script. When this file is loaded, it could execute arbitrary JavaScript in the victim's browser. The attack requires high privileges and could expose a privileged token, potentially giving the attacker full control over the Portal.

Impact

Exploitation of this vulnerability could lead to the execution of arbitrary JavaScript in the context of the victim's browser, allowing for the injection of malicious scripts that could be used to steal information or perform actions on behalf of the user. In this case, it could also result in the attacker gaining full control of the Portal, according to Esri.

Remediation

Esri has released a security patch for this vulnerability as part of the Portal for ArcGIS Enterprise Sites Security 2025 Update 1 Patch. This patch is available for download from the Esri Support site. Users should also ensure that they have implemented Esri's 2025 Top 3 New Critical Security Recommendations. Customers using versions of ArcGIS Enterprise in Mature or Retired status should upgrade to a General Availability release version immediately.