CVE-2024-38038

Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS versions 10.7.1 through 10.9.1

Description The issue is related to a reflected XSS vulnerability that may allow a remote, unauthenticated attacker to create a crafted link which, when clicked, could potentially execute arbitrary JavaScript code in the victim's browser. This could enable the attacker to perform cross-site scripting attacks.

Recommendations For Esri Portal for ArcGIS version 10.7.1, update to a version that includes the fix for this issue. For Esri Portal for ArcGIS version 10.8.1, update to a version that includes the fix for this issue. For Esri Portal for ArcGIS version 10.9.1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to potentially vulnerable web pages until a patch is available.