Esri Portal for ArcGIS Enterprise Sites Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Esri Portal for ArcGIS Enterprise Sites, affecting versions 10.9.1 through 11.4. This vulnerability allows a remote, authenticated attacker to inject a malicious file containing an XSS script. When this file is loaded, it could execute arbitrary JavaScript in the victim's browser. The vulnerability requires high privileges to exploit and could potentially disclose a privileged token, allowing the attacker to gain full control of the Portal.

Impact

Exploitation of this vulnerability could lead to the execution of arbitrary JavaScript in the context of the victim's browser, potentially allowing for the theft of sensitive information such as tokens that could be used to gain unauthorized access to the Portal.

Remediation

Esri has released a security patch for this vulnerability as part of the Portal for ArcGIS Enterprise Sites Security 2025 Update 1 Patch. This patch is available for download from the Esri Support site. Users should also ensure that they have implemented the 2025 Top 3 New Critical Security Recommendations.