CVE-2025-55106

Name of the Vulnerable Software and Affected Versions: Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 through 11.4

Description: A stored Cross-site Scripting issue exists that may allow a remote, authenticated attacker to inject a malicious file containing an XSS script. When loaded, this script could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, and it could lead to the disclosure of a privileged token, potentially granting the attacker full control of the Portal.

Recommendations: For Esri Portal for ArcGIS Enterprise Sites version 10.9.1, apply the necessary updates or mitigations as provided by Esri. For Esri Portal for ArcGIS Enterprise Sites versions 10.9.2 through 10.9.4, apply the necessary updates or mitigations as provided by Esri. For Esri Portal for ArcGIS Enterprise Sites version 11.0, apply the necessary updates or mitigations as provided by Esri. For Esri Portal for ArcGIS Enterprise Sites version 11.1, apply the necessary updates or mitigations as provided by Esri. For Esri Portal for ArcGIS Enterprise Sites version 11.2, apply the necessary updates or mitigations as provided by Esri. For Esri Portal for ArcGIS Enterprise Sites version 11.3, apply the necessary updates or mitigations as provided by Esri. For Esri Portal for ArcGIS Enterprise Sites version 11.4, apply the necessary updates or mitigations as provided by Esri.