Lucene search

[email protected]NVD:CVE-2023-25837

HistoryJul 21, 2023 - 4:15 a.m.

CVE-2023-25837

2023-07-2104:15:12

CWE-79

[email protected]

web.nvd.nist.gov

cve-2023-25837

esri arcgis enterprise

cross-site scripting

remote attacker

arbitrary javascript code

high impact

confidentiality

integrity

availability

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

AI Score

8.2

Confidence

High

EPSS

0.001

Percentile

26.5%

JSON

There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target’s browser. The privileges required to execute this attack are high.

The impact to Confidentiality, Integrity and Availability are High.

Affected configurations

Nvd

Node

esriportal_for_arcgisRange10.8.1–10.9

VendorProductVersionCPE
esriportal_for_arcgis*cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
esri	portal_for_arcgis	*	cpe:2.3:a:esri:portal_for_arcgis::::::::

References

www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-enterprise-sites-security-patch-is-now-available/