CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-2538 – BUG-000174336
https://notcve.org/view.php?id=CVE-2025-2538
20 Mar 2025 — A specific type of ArcGIS Enterprise deployment, is vulnerable to a Password Recovery Exploitation vulnerability in Portal, that could allow an attacker to reset the password on the built in admin account. A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote authenticated attacker to gain administrative access to the system. A specific type of ArcGIS Enterprise deployment is vulnerable to a Password Recovery E... • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-1-patch • CWE-798: Use of Hard-coded Credentials •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-25691 – BUG-000165286 - Reflected XSS in Portal for ArcGIS
https://notcve.org/view.php?id=CVE-2024-25691
04 Oct 2024 — There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1, 10.9.1 and 10.8.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8149 – BUG-000168624 - Unvalidated redirect in Portal for ArcGIS.
https://notcve.org/view.php?id=CVE-2024-8149
04 Oct 2024 — There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 and 11.2 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-8148 – BUG-000168624 - Unvalidated redirect in Portal for ArcGIS. (11.2, 11.1, 10.9.1. and 10.8.1)
https://notcve.org/view.php?id=CVE-2024-8148
04 Oct 2024 — There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 10.8.1 - 11.2 that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.9EPSS: 0%CPEs: 5EXPL: 0CVE-2024-25709 – Self-XSS style in move item dialog
https://notcve.org/view.php?id=CVE-2024-25709
04 Apr 2024 — This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because this item is scheduled to be patched at a future time. There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS versions 10.8.1 – 1121 that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item which will potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are h... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •