CVE-2024-25694

Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS Enterprise versions 10.8.1 through 10.9.1

Description The issue is a stored Cross-site Scripting vulnerability that may allow a remote, authenticated attacker to create a crafted link stored in the Layer Showcase application configuration. When clicked, this link could potentially execute arbitrary JavaScript code in the victim's browser. The privileges required to execute this attack are high, and it could disclose a privileged token, resulting in the attacker gaining full control of the Portal.

Recommendations For Esri Portal for ArcGIS Enterprise versions 10.8.1 through 10.9.1, consider disabling the Layer Showcase application configuration as a temporary workaround until a patch is available. Restrict access to the Layer Showcase to minimize the risk of exploitation. Avoid using crafted links in the Layer Showcase application configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.