CVE-2024-38036

Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS versions 10.9.1, 10.8.1 and 10.7.1

Description The issue is related to a reflected XSS vulnerability. It may allow a remote, unauthenticated attacker to create a crafted link which, when clicked, could potentially execute arbitrary JavaScript code in the victim’s browser. This could be done by exploiting the lack of protection for the web page structure.

Recommendations For Esri Portal for ArcGIS version 10.9.1, update to a version that includes the fix for this issue. For Esri Portal for ArcGIS version 10.8.1, update to a version that includes the fix for this issue. For Esri Portal for ArcGIS version 10.7.1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to potentially vulnerable web pages until a patch is available.