Total
71 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-25709 | 3 Esri, Linux, Microsoft | 3 Portal For Arcgis, Linux Kernel, Windows | 2026-02-13 | N/A | 6.1 MEDIUM |
|
There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.2 and below that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item, which could potentially execute arbitrary JavaScript code in a victim’s browser. Exploitation does not require any privileges and can be performed by an anonymous user.
|
|||||
| CVE-2024-25705 | 3 Esri, Linux, Microsoft | 3 Portal For Arcgis, Linux Kernel, Windows | 2026-02-13 | N/A | 5.4 MEDIUM |
|
There is a cross‑site scripting (XSS) vulnerability in Esri Portal for ArcGIS Experience Builder versions 11.1 and below on Windows and Linux that allows a remote, authenticated attacker with low‑privileged access to create a crafted link which, when clicked, could potentially execute arbitrary JavaScript code in the victim’s browser. Exploitation requires basic authenticated access but does not require elevated or administrative privileges, indicating low privileges are required.
|
|||||
| CVE-2024-25699 | 3 Esri, Linux, Microsoft | 4 Arcgis Enterprise, Portal For Arcgis, Linux Kernel and 1 more | 2026-02-13 | N/A | 8.5 HIGH |
|
There is a difficult‑to‑exploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 11.2 and below on Windows and Linux, and ArcGIS Enterprise versions 11.1 and below on Kubernetes, which under unique circumstances could allow a remote, authenticated attacker with low‑privileged access to compromise the confidentiality, integrity, and availability of the software. Successful exploitation allows the attacker to cross an authentication and authorization bounda ...
Show More |
|||||
| CVE-2024-8149 | 1 Esri | 1 Portal For Arcgis | 2026-02-13 | N/A | 4.6 MEDIUM |
|
There is a reflected Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.1 and 11.2 that may allow a remote, authenticated attacker with low‑privileged access to create a crafted link which, when clicked, could potentially execute arbitrary JavaScript code in the victim’s browser. Exploitation is limited to the same browser execution context and does not result in a change of security scope beyond the affected user session.
|
|||||
| CVE-2023-25837 | 1 Esri | 1 Portal For Arcgis | 2026-02-13 | N/A | 8.4 HIGH |
|
There is a Cross‑Site Scripting (XSS) vulnerability in Esri ArcGIS Enterprise Sites versions 10.9 and below that may allow a remote, authenticated attacker to create a crafted link which, when clicked by a victim, could result in the execution of arbitrary JavaScript code in the target’s browser. Exploitation requires high‑privileged authenticated access. Successful exploitation may allow the attacker to access sensitive session data, manipulate trusted content, and disrupt normal application fu ...
Show More |
|||||
| CVE-2023-25835 | 1 Esri | 1 Portal For Arcgis | 2026-02-13 | N/A | 8.4 HIGH |
|
There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS Sites versions 11.1 and below that may allow a remote, authenticated attacker with high‑privileged access to create a crafted link that is persisted within the site configuration. When accessed by a victim, the stored payload may execute arbitrary JavaScript code in the victim’s browser. Successful exploitation could allow the attacker to access sensitive user data and session information, alter trusted site con ...
Show More |
|||||
| CVE-2025-4967 | 1 Esri | 1 Portal For Arcgis | 2025-12-15 | N/A | 9.1 CRITICAL |
|
Esri Portal for ArcGIS 11.4 and prior allows a remote, unauthenticated attacker to bypass the Portal’s SSRF protections.
|
|||||
| CVE-2025-2538 | 1 Esri | 1 Portal For Arcgis | 2025-12-10 | N/A | 9.8 CRITICAL |
|
A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system.
|
|||||
| CVE-2025-57879 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 6.1 MEDIUM |
|
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
|
|||||
| CVE-2025-57878 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 6.1 MEDIUM |
|
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
|
|||||
| CVE-2025-57877 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
|
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
|
|||||
| CVE-2025-57876 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
|
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
|
|||||
| CVE-2025-57875 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
|
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
|
|||||
| CVE-2025-57874 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
|
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
|
|||||
| CVE-2025-57873 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
|
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
|
|||||
| CVE-2025-57872 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 6.1 MEDIUM |
|
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
|
|||||
| CVE-2025-57871 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
|
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
|
|||||
| CVE-2025-55107 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
|
There is a stored
Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites
versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to
inject malicious a file with an embedded xss script which when loaded could
potentially execute arbitrary JavaScript code in the victim’s browser. The
privileges required to execute this attack are high. The attack could
disclose a privileged token which may result in the attacker gaining full
control of the Portal ...
Show More |
|||||
| CVE-2025-55106 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
|
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
|
|||||
| CVE-2025-55105 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
|
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
|
|||||
| CVE-2025-55104 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability exists ArcGIS HUB and ArcGIS Enterprise Sites which allows an authenticated user with the ability to create or edit a site to add and store an XSS payload. If this stored XSS payload is triggered by any user attacker supplied JavaScript may execute in the victim's browser.
|
|||||
| CVE-2025-55103 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
|
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
|
|||||
| CVE-2023-25836 | 1 Esri | 1 Portal For Arcgis | 2025-04-23 | N/A | 5.4 MEDIUM |
|
There is a Cross-site Scripting vulnerability in Esri Portal for ArcGIS Sites in versions 10.9 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are low.
|
|||||
| CVE-2023-25831 | 1 Esri | 1 Portal For Arcgis | 2025-04-23 | N/A | 6.1 MEDIUM |
|
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
|
|||||
| CVE-2023-25830 | 1 Esri | 1 Portal For Arcgis | 2025-04-23 | N/A | 6.1 MEDIUM |
|
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1and before which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
|
|||||
| CVE-2023-25829 | 1 Esri | 1 Portal For Arcgis | 2025-04-23 | N/A | 6.1 MEDIUM |
|
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
|
|||||
| CVE-2024-38038 | 1 Esri | 1 Portal For Arcgis | 2025-04-10 | N/A | 6.1 MEDIUM |
|
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
|
|||||
| CVE-2024-25702 | 1 Esri | 1 Portal For Arcgis | 2025-04-10 | N/A | 4.8 MEDIUM |
|
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the site configuration which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
|
|||||
| CVE-2024-25701 | 1 Esri | 1 Portal For Arcgis | 2025-04-10 | N/A | 4.8 MEDIUM |
|
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Experience Builder versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the Experience Builder Embed widget which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining fu ...
Show More |
|||||
| CVE-2024-25694 | 1 Esri | 1 Portal For Arcgis | 2025-04-10 | N/A | 4.8 MEDIUM |
|
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the Layer Showcase application configuration which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full cont ...
Show More |
|||||
| CVE-2024-25691 | 1 Esri | 1 Portal For Arcgis | 2025-04-10 | N/A | 6.1 MEDIUM |
|
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
|
|||||
| CVE-2024-8148 | 1 Esri | 1 Portal For Arcgis | 2025-04-10 | N/A | 6.1 MEDIUM |
|
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
|
|||||
| CVE-2024-38040 | 1 Esri | 1 Portal For Arcgis | 2025-04-10 | N/A | 7.5 HIGH |
|
There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files.
|
|||||
| CVE-2024-38037 | 1 Esri | 1 Portal For Arcgis | 2025-04-10 | N/A | 6.1 MEDIUM |
|
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
|
|||||
| CVE-2024-38036 | 1 Esri | 1 Portal For Arcgis | 2025-04-10 | N/A | 5.4 MEDIUM |
|
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
|
|||||
| CVE-2024-25706 | 1 Esri | 1 Portal For Arcgis | 2025-04-10 | N/A | 6.1 MEDIUM |
|
There is an HTML injection vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a message that may entice an unsuspecting victim to visit an arbitrary website. This could simplify phishing attacks.
|
|||||
| CVE-2024-25697 | 1 Esri | 1 Portal For Arcgis | 2025-04-10 | N/A | 5.4 MEDIUM |
|
There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which when opening an authenticated users bio page will render an image in the victims browser. The privileges required to execute this attack are low.
|
|||||
| CVE-2024-25696 | 1 Esri | 1 Portal For Arcgis | 2025-04-10 | N/A | 4.8 MEDIUM |
|
There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when accessing the page editor an image will render in the victim’s browser. The privileges required to execute this attack are high.
|
|||||
| CVE-2024-25695 | 1 Esri | 1 Portal For Arcgis | 2025-04-10 | N/A | 7.2 HIGH |
|
There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.2 and below that may allow a remote, authenticated attacker to provide input that is not sanitized properly and is rendered in error messages. The are no privileges required to execute this attack.
|
|||||
| CVE-2024-25692 | 3 Esri, Linux, Microsoft | 3 Portal For Arcgis, Linux Kernel, Windows | 2025-04-10 | N/A | 5.4 MEDIUM |
|
There is a cross-site-request forgery vulnerability in Esri Portal for ArcGIS Versions 11.1 and below that may in some cases allow a remote, unauthenticated attacker to trick an authorized user into executing unwanted actions via a crafted form. The impact to Confidentiality and Integrity vectors is limited and of low severity.
|
|||||