Esri Portal for ArcGIS Enterprise Sites Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Esri Portal for ArcGIS Enterprise Sites, affecting versions 10.9.1 through 11.4. This vulnerability allows a remote, authenticated attacker to inject a malicious file containing an XSS script. When this file is loaded, it could execute arbitrary JavaScript in the victim's browser. The attack requires high privileges and could expose a privileged token, potentially giving the attacker full control over the Portal.

Impact

Exploitation of this vulnerability could lead to the execution of arbitrary JavaScript in the context of the victim's browser, allowing for the injection of malicious scripts that could be executed when the file is loaded. This could result in the disclosure of a privileged token, enabling the attacker to gain full control of the Portal.

Remediation

Esri has released a security patch for this vulnerability as part of the Portal for ArcGIS Enterprise Sites Security 2025 Update 1 Patch. This patch is available for download from the Esri Support site. Users should also ensure that the 2025 Critical Best Practices are implemented. For those using versions of ArcGIS Enterprise in Mature or Retired status, an upgrade to a General Availability release version is recommended.