CVE-2023-25835 in Portal Sites
Summary
by MITRE • 07/21/2023
There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS Sites versions 11.1 and below that may allow a remote, authenticated attacker with high‑privileged access to create a crafted link that is persisted within the site configuration. When accessed by a victim, the stored payload may execute arbitrary JavaScript code in the victim’s browser. Successful exploitation could allow the attacker to access sensitive user data and session information, alter trusted site content and user actions, and disrupt normal site functionality, resulting in a high impact to confidentiality, integrity, and availability.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/13/2026
The vulnerability identified as CVE-2023-25835 represents a critical stored cross-site scripting flaw within Esri Portal for ArcGIS Sites version 11.1 and earlier systems. This security weakness exists in the way the platform handles user input within site configuration parameters, creating an avenue for malicious actors to inject persistent JavaScript payloads that execute whenever victims access specific crafted links. The vulnerability specifically targets authenticated users with high-privileged access levels, which significantly reduces the attack surface requirements while simultaneously amplifying the potential impact of exploitation. Organizations utilizing Esri Portal for ArcGIS in enterprise environments face substantial risk from this flaw, particularly given the sensitive nature of geospatial data and mapping services that these platforms typically manage. The stored nature of this XSS vulnerability means that once an attacker successfully injects malicious code, the payload remains persistent within the application's configuration, allowing for repeated execution against multiple victims without requiring additional injection attempts.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding mechanisms within the Esri Portal for ArcGIS administrative interfaces. When high-privileged users create or modify site configuration elements, the system fails to properly sanitize user-supplied data before storing it within the application's persistent storage. This weakness creates a direct pathway for attackers to embed malicious JavaScript within legitimate configuration parameters, which are then served to unsuspecting users when they access affected pages or links. The flaw aligns with CWE-79, which specifically addresses cross-site scripting vulnerabilities, and demonstrates a classic case of inadequate data sanitization in web applications. Attackers can leverage this vulnerability by crafting malicious links containing JavaScript payloads that exploit the application's failure to properly escape special characters and validate user input. The vulnerability's impact is particularly severe because it operates within the administrative context of the platform, where users possess elevated privileges and access to sensitive organizational data.
The operational impact of CVE-2023-25835 extends beyond simple data theft or session hijacking, encompassing a comprehensive threat to the confidentiality, integrity, and availability of the affected ArcGIS environments. Successful exploitation could enable attackers to exfiltrate sensitive geospatial data, manipulate trusted site content to mislead users, and potentially disrupt critical mapping services that organizations depend upon for operational decision-making. The vulnerability's ability to persist within site configurations means that attackers can maintain long-term access to compromised systems, creating opportunities for extended reconnaissance and lateral movement within affected networks. This persistent threat capability significantly increases the difficulty of detection and remediation, as malicious payloads can remain active for extended periods without requiring re-injection. Organizations may experience service disruption, data compromise, and potential regulatory violations if sensitive mapping data or user information is accessed or altered through this vulnerability. The attack vector specifically targets authenticated users with elevated privileges, which means that successful exploitation could result in complete compromise of the ArcGIS portal environment, potentially affecting thousands of users and large volumes of geospatial data.
Mitigation strategies for CVE-2023-25835 should prioritize immediate implementation of input validation and output encoding controls within the affected Esri Portal for ArcGIS installations. Organizations must ensure that all user-supplied data within configuration parameters undergoes rigorous sanitization before storage, with special attention to preventing JavaScript execution within administrative interfaces. The implementation of proper content security policies and input validation frameworks should be prioritized, with particular focus on addressing CWE-79 prevention measures. Security teams should conduct comprehensive audits of existing site configurations to identify and remove any potentially compromised elements, while also implementing monitoring solutions to detect suspicious activities within the portal environment. Additionally, organizations should consider implementing web application firewalls and additional layers of authentication to limit the scope of potential exploitation. The remediation process should include immediate patching of affected systems to version 11.2 or later, which contains the necessary security fixes to address this vulnerability. Regular security assessments and penetration testing should be conducted to identify similar vulnerabilities within the broader ArcGIS ecosystem and related applications, ensuring comprehensive protection against similar threats that may exploit similar input validation weaknesses.