CVE-2023-25840

Name of the Vulnerable Software and Affected Versions ArcGIS Server versions 10.8.1 through 11.1

Description The issue is related to a Cross-site Scripting vulnerability that may allow a remote, authenticated attacker to create a crafted link. This link could potentially render an image in the victim's browser when the mouse is moved over it, but it will not execute. The privileges required to execute this attack are high.

Recommendations For ArcGIS Server versions 10.8.1 through 11.1, consider disabling the functionality that allows the creation of crafted links until a patch is available. Restrict access to sensitive areas of the server to minimize the risk of exploitation. Avoid using features that may trigger the onmouseover event in the affected browser. At the moment, there is no information about a newer version that contains a fix for this vulnerability.