CVE-2024-38037

Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS versions 10.9.1 through 11.0

Description The issue is related to an unvalidated redirect vulnerability that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks. This flaw lets a remote attacker create a URL that could redirect users to any website, potentially leading to phishing attacks.

Recommendations For Esri Portal for ArcGIS versions 10.9.1 through 11.0, consider disabling the redirect functionality until a patch is available. As a temporary workaround, restrict access to the vulnerable portal to minimize the risk of exploitation. Avoid using the portal for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.