CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25705 – Cross site scripting issue in embed widget
https://notcve.org/view.php?id=CVE-2024-25705
04 Apr 2024 — This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because this item is scheduled to be patched at a future time. There is a cross site scripting vulnerability in the Esri Portal for ArcGIS Experience Builder 11.1 and below on Windows and Linux that allows a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are low. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/the-portal-for-arcgis-security-2024-update-2-is-available-install-these-patches-at-your-earliest-opportunity-to-address-these-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25706 – HTMLi at createFolder Content Injection
https://notcve.org/view.php?id=CVE-2024-25706
04 Apr 2024 — This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because this item is scheduled to be patched at a future time. There is an HTML injection vulnerability in Esri Portal for ArcGIS <=11.0 that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a message that may entice an unsuspecting victim to visit an arbitrary website. This could simplify phishing attacks. • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 5EXPL: 0CVE-2024-25709 – Self-XSS style in move item dialog
https://notcve.org/view.php?id=CVE-2024-25709
04 Apr 2024 — This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because this item is scheduled to be patched at a future time. There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 10.8.1 – 1121 that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are h... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-25698 – Reflected XSS in Portal for ArcGIS
https://notcve.org/view.php?id=CVE-2024-25698
04 Apr 2024 — There is a reflected cross site scripting vulnerability in the home application in Esri Portal for ArcGIS 11.1 and below on Windows and Linux that allows a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. Hay una vulnerabilidad de Cross-Site Scripting reflejada en la aplicación doméstica en Esri Portal para ArcGIS 11.1 y versiones anteriores en Windows y Linux que permite a un atacante remoto y no autent... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 2%CPEs: 1EXPL: 0CVE-2024-25693 – Portal for ArcGIS has a directory traversal vulnerability.
https://notcve.org/view.php?id=CVE-2024-25693
04 Apr 2024 — There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. Successful exploitation may allow a remote, authenticated attacker to traverse the file system to access files or execute code outside of the intended directory. Hay un path traversal en Esri Portal para versiones de ArcGIS <= 11.2. La explotación exitosa puede permitir que un atacante remoto y autenticado atraviese el sistema de archivos para acceder a archivos o ejecutar código fuera del directorio previsto. • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25695 – concatenated errors resulting in cross site scripting and frame injection issues.
https://notcve.org/view.php?id=CVE-2024-25695
04 Apr 2024 — There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions <= 11.2 that may allow a remote, authenticated attacker to provide input that is not sanitized properly and is rendered in error messages. The are no privileges required to execute this attack. Existe una vulnerabilidad de Cross-Site Scripting en Portal for ArcGIS en versiones <= 11.2 que puede permitir que un atacante remoto y autenticado proporcione entradas que no están desinfectadas adecuadamente y se muestran en mensajes ... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-25696 – Stored XSS in Portal for ArcGIS
https://notcve.org/view.php?id=CVE-2024-25696
04 Apr 2024 — There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions <=11.0 that may allow a remote, authenticated attacker to create a crafted link which when accessing the page editor an image will render in the victim’s browser. The privileges required to execute this attack are high. Existe una vulnerabilidad de Cross-Site Scripting en Portal for ArcGIS en versiones <= 11.0 que puede permitir que un atacante remoto y autenticado cree un enlace manipulado que, al acceder al editor de páginas... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25697 – Stored XSS in Portal for ArcGIS
https://notcve.org/view.php?id=CVE-2024-25697
04 Apr 2024 — There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions <=11.1 that may allow a remote, authenticated attacker to create a crafted link which when opening an authenticated users bio page will render an image in the victims browser. The privileges required to execute this attack are low. Existe una vulnerabilidad de Cross-Site Scripting en Portal for ArcGIS en versiones <= 11.1 que puede permitir que un atacante remoto y autenticado cree un enlace manipulado que, al abrir la página ... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25708 – Persistent XSS when creating new application using Web App Builder
https://notcve.org/view.php?id=CVE-2024-25708
04 Apr 2024 — There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Web App Builder versions 10.8.1 – 10.9.1 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. Existe una vulnerabilidad de Cross-Site Scripting almacenada en Esri Portal for ArcGIS Enterprise Web App Builder versiones 10.8.1 – 10.9.1 que puede permi... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25848 – BUG-000158039 - There is an information disclosure issue in ArcGIS Server.
https://notcve.org/view.php?id=CVE-2023-25848
25 Aug 2023 — ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. The information disclosed is limited to a single attribute in a database connection string. No business data is disclosed. • https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch • CWE-319: Cleartext Transmission of Sensitive Information •