CVE-2023-25837

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-25837

8.4 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

T

here is a Cross‑Site Scripting (XSS) vulnerability in Esri ArcGIS Enterprise Sites versions 10.9 and below that may allow a remote, authenticated attacker to create a crafted link which, when clicked by a victim, could result in the execution of arbitrary JavaScript code in the target’s browser. Exploitation requires high‑privileged authenticated access. Successful exploitation may allow the attacker to access sensitive session data, manipulate trusted content, and disrupt normal application functionality, resulting in a high impact to confidentiality, integrity, and availability.

References
Link Resource
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-enterprise-sites-security-patch-is-now-available/ Vendor Advisory
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-enterprise-sites-security-patch-is-now-available/ Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*
History

06 Feb 2026, 07:16

Type Values Removed Values Added
Summary (en) There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.9 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target's browser.  The privileges required to execute this attack are high.    The impact to Confidentiality, Integrity and Availability are High. (en) There is a Cross‑Site Scripting (XSS) vulnerability in Esri ArcGIS Enterprise Sites versions 10.9 and below that may allow a remote, authenticated attacker to create a crafted link which, when clicked by a victim, could result in the execution of arbitrary JavaScript code in the target’s browser. Exploitation requires high‑privileged authenticated access. Successful exploitation may allow the attacker to access sensitive session data, manipulate trusted content, and disrupt normal application functionality, resulting in a high impact to confidentiality, integrity, and availability.

10 Apr 2025, 19:15

Type Values Removed Values Added
Summary (en) There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target's browser.  The privileges required to execute this attack are high.    The impact to Confidentiality, Integrity and Availability are High. (en) There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.9 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target's browser.  The privileges required to execute this attack are high.    The impact to Confidentiality, Integrity and Availability are High.

21 Nov 2024, 07:50

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 4.8 		v2 : unknown
v3 : 8.4
References () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-enterprise-sites-security-patch-is-now-available/ - Vendor Advisory () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-enterprise-sites-security-patch-is-now-available/ - Vendor Advisory

08 Oct 2024, 17:15

Type Values Removed Values Added
Summary (en) There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target's browser.  The privileges required to execute this attack are high.    The impact to Confidentiality, Integrity and Availability are High. (en) There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target's browser.  The privileges required to execute this attack are high.    The impact to Confidentiality, Integrity and Availability are High.
Information

Published : 2023-07-21 04:15

Updated : 2026-02-13 19:41

NVD link : CVE-2023-25837

Mitre link : CVE-2023-25837

CVE.ORG link : CVE-2023-25837

JSON object : View

Products Affected

esri

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')