CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-2538 – BUG-000174336
https://notcve.org/view.php?id=CVE-2025-2538
20 Mar 2025 — A specific type of ArcGIS Enterprise deployment, is vulnerable to a Password Recovery Exploitation vulnerability in Portal, that could allow an attacker to reset the password on the built in admin account. A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote authenticated attacker to gain administrative access to the system. A specific type of ArcGIS Enterprise deployment is vulnerable to a Password Recovery E... • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-1-patch • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-38040 – BUG-000167984 - Portal for ArcGIS has a Local file inclusion (LFI) vulnerability
https://notcve.org/view.php?id=CVE-2024-38040
04 Oct 2024 — There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2. 11.1, 11.0 and 10.9.1 that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released • CWE-73: External Control of File Name or Path •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-25691 – BUG-000165286 - Reflected XSS in Portal for ArcGIS
https://notcve.org/view.php?id=CVE-2024-25691
04 Oct 2024 — There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1, 10.9.1 and 10.8.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8149 – BUG-000168624 - Unvalidated redirect in Portal for ArcGIS.
https://notcve.org/view.php?id=CVE-2024-8149
04 Oct 2024 — There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 and 11.2 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-8148 – BUG-000168624 - Unvalidated redirect in Portal for ArcGIS. (11.2, 11.1, 10.9.1. and 10.8.1)
https://notcve.org/view.php?id=CVE-2024-8148
04 Oct 2024 — There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 10.8.1 - 11.2 that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.9EPSS: 0%CPEs: 5EXPL: 0CVE-2024-25709 – Self-XSS style in move item dialog
https://notcve.org/view.php?id=CVE-2024-25709
04 Apr 2024 — This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because this item is scheduled to be patched at a future time. There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 10.8.1 – 1121 that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are h... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8266
https://notcve.org/view.php?id=CVE-2014-8266
01 Feb 2015 — Multiple cross-site scripting (XSS) vulnerabilities in the note-creation page in QPR Portal 2014.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) body field. Múltiples vulnerabilidades de XSS en la página de la creación de notas en QPR Portal 2014.1.1 y anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo (1) title o (2) body. • http://www.kb.cert.org/vuls/id/546340 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8267
https://notcve.org/view.php?id=CVE-2014-8267
01 Feb 2015 — Cross-site scripting (XSS) vulnerability in QPR Portal 2014.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the RID parameter. Vulnerabilidad de XSS en QPR Portal 2014.1.1 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro RID. • http://www.kb.cert.org/vuls/id/546340 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8268
https://notcve.org/view.php?id=CVE-2014-8268
01 Feb 2015 — QPR Portal before 2012.2.1 allows remote attackers to modify or delete notes via a direct request. QPR Portal anterior a 2012.2.1 permite a atacantes remotos modificar o eliminar notas a través de una solicitud directa. • http://www.kb.cert.org/vuls/id/546340 • CWE-264: Permissions, Privileges, and Access Controls •