CVE-2024-25701

Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS Enterprise Experience Builder versions 10.8.1 through 11.1

Description The issue is related to a stored Cross-site Scripting vulnerability that may allow a remote, authenticated attacker to create a crafted link stored in the Experience Builder Embed widget. When loaded, this link could potentially execute arbitrary JavaScript code in the victim's browser, disclosing a privileged token and resulting in the attacker gaining full control of the Portal. The privileges required to execute this attack are high.

Recommendations For Esri Portal for ArcGIS Enterprise Experience Builder versions 10.8.1 through 11.1, consider disabling the Experience Builder Embed widget until a patch is available to prevent the execution of arbitrary JavaScript code. Restrict access to the widget to minimize the risk of exploitation. Avoid using the widget to store crafted links until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.