Headline
CVE-2023-25835: Portal for ArcGIS Enterprise Sites 2023 Security Patch is now available
There is a Cross-site Scripting vulnerability in Esri Portal Sites in versions 10.8.1 – 11.1 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high.
Portal for ArcGIS Enterprise Sites Security Patch is now available. This patch contains fixes for one high security issue and multiple medium priority security issues. Esri highly recommends customers using Portal for ArcGIS 11.1 through 10.8.1 to install this patch. Users at version 10.7.1 should upgrade to 10.9.1 or 11.1 and install this patch. ArcGIS 10.7.1 is in mature support status and no longer receives patches. Users working with ArcGIS Enterprise 10.7.1 and below are encouraged to upgrade to versions 11.1 (preferred), 10.9.1 or 10.8.1 and install available security patches.
This patch was released on June 28, 2023 and is available here.
We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.
****Vulnerabilities fixed by this patch****
There is a Cross-site Scripting vulnerability in Esri Portal Sites in versions 10.8.1 – 11.1 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high.
CVE Details: CVE-2023-25835
- CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- CVSSv3.1 Base Score: 8.4 (High) CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
- CVSSv3.1 Environmentally Modified Score: 8.0 (High) CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H/RL:O
- This issue affects ArcGIS Enterprise Sites: from 10.8.1 through 11.1.
ESRI Bug ID: [BUG-000153659 – A stored Cross Site Scripting (XSS) vulnerability in ArcGIS Enterprise Sites.]
There is a Cross-site Scripting vulnerability in Esri Portal Sites in versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are low.
CVE Details: CVE-2023-25836
- CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- CVSSv3.1 Base Score: 5.4 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- CVSSv3.1 Environmentally Modified Score: 5.2 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- This issue affects Portal sites: from 10.8.1 through 10.9.
ESRI Bug ID: [BUG-000135364 -There is a cross-site scripting (XSS) vulnerability in ArcGIS Enterprise Sites.]
There is a Cross-site Scripting vulnerability in Esri Portal Sites in versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high.
CVE Details: CVE-2023-25837
- CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- CVSSv3.1 Base Score: 6.8 (Medium) CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
- CVSSv3.1 Environmentally Modified Score: 6.5 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- This issue affects Portal sites: from 10.8.1 through 10.9.
ESRI Bug ID: [BUG-000133088 – XSS in ArcGIS Enterprise sites.]