Primary

Context

Esri Portal for ArcGIS Stored Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in Esri Portal for ArcGIS versions 11.4 and earlier. This vulnerability allows a remote, authenticated attacker to inject a malicious file containing an XSS script. When this file is loaded, it could execute arbitrary JavaScript in the victim's browser. The attack requires high privileges and could expose a privileged token, potentially giving the attacker full control over the Portal.

Impact

Exploitation of this vulnerability could lead to stored cross-site scripting, allowing injected scripts to be executed in the context of the user.

Remediation

Esri has released a security patch for Portal for ArcGIS 2025 Update 3, which addresses this vulnerability. This patch is cumulative and includes all fixes from previous updates. Instructions for applying the patch are available on the Esri Support website.

Added: Sep 29, 2025, 7:19 PM

Updated: Sep 29, 2025, 7:37 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.4

exploitability

4.5

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.4

exploitability

4.5

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Esri Portal for ArcGIS Stored Cross-Site Scripting Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Esri Portal for ArcGIS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating