Lucene search

EsriCVELIST:CVE-2023-25837

HistoryJul 21, 2023 - 3:42 a.m.

CVE-2023-25837 BUG-000133088 - ArcGIS Enterprise site builder is subject to stored XSS.

2023-07-2103:42:24

CWE-79

Esri

www.cve.org

arcgis enterprise

xss

vulnerability

10.8.1

10.9

remote attacker

javascript code

CVSS3

8.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

AI Score

8.3

Confidence

High

EPSS

0.001

Percentile

26.5%

JSON

There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target’s browser. The privileges required to execute this attack are high.

The impact to Confidentiality, Integrity and Availability are High.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "64 bit"
    ],
    "product": "Portal sites",
    "vendor": "Esri",
    "versions": [
      {
        "lessThanOrEqual": "10.9",
        "status": "affected",
        "version": "10.8.1",
        "versionType": "Portal for ArcGIS Enterprise Sites Security Patch"
      }
    ]
  }
]

References

www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-enterprise-sites-security-patch-is-now-available/

CVSS3

8.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

AI Score

8.3

Confidence

High

EPSS

0.001

Percentile

26.5%

JSON

Related for CVELIST:CVE-2023-25837