CVE-2024-25691

Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS versions 10.8.1 through 11.1

Description The issue is related to a reflected XSS vulnerability that may allow a remote, unauthenticated attacker to create a crafted link which, when clicked, could potentially execute arbitrary JavaScript code in the victim's browser. This could be achieved through a specially crafted web page.

Recommendations For Esri Portal for ArcGIS version 10.8.1, update to a version that includes the fix for this issue. For Esri Portal for ArcGIS version 10.9.1, update to a version that includes the fix for this issue. For Esri Portal for ArcGIS version 11.1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to potentially vulnerable web pages until a patch is available.