CVE-2024-25702

Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS Enterprise Sites versions 10.8.1 through 11.1

Description The issue is related to a stored Cross-site Scripting vulnerability that may allow a remote, authenticated attacker to create a crafted link stored in the site configuration. When clicked, this link could potentially execute arbitrary JavaScript code in the victim's browser. The privileges required to execute this attack are high, and it could disclose a privileged token, resulting in the attacker gaining full control of the Portal. The vulnerability is associated with a lack of protection for the web page structure, which can be exploited by a remote attacker to perform cross-site scripting attacks and gain full control of the application using a specially crafted web page.

Recommendations For Esri Portal for ArcGIS Enterprise Sites versions 10.8.1 through 11.1, consider disabling the functionality that allows storing links in the site configuration as a temporary workaround until a patch is available. Restrict access to the site configuration to minimize the risk of exploitation. Avoid using the site configuration to store links until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.