CVE-2023-25841 in ArcGIS Server
Summary
by MITRE • 07/21/2023
There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 10.8.1 – 11.0 on Windows and Linux platforms that may allow a remote, unauthenticated attacker to create crafted content which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
Mitigation: Disable anonymous access to ArcGIS Feature services with edit capabilities.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/24/2025
The stored cross-site scripting vulnerability identified as CVE-2023-25841 represents a critical security weakness in Esri ArcGIS Server software versions 10.8.1 through 11.0 across both Windows and Linux operating systems. This vulnerability falls under the CWE-79 category of Cross-site Scripting and specifically manifests as a stored XSS flaw that enables attackers to inject malicious scripts into the application's content storage mechanisms. The flaw exists within the server's handling of user-submitted content that gets persisted and later rendered to other users, creating a persistent threat vector that can affect any user who accesses the compromised content. The vulnerability is particularly concerning because it does not require authentication for exploitation, allowing unauthenticated attackers to craft malicious payloads that can persist within the system and execute when other users interact with the affected content.
The technical implementation of this vulnerability occurs when the ArcGIS Server application processes and stores user input through feature services that support editing capabilities. When an attacker successfully injects malicious JavaScript code through these editable interfaces, the code becomes permanently stored within the server's database or content repository. This stored content is then served to other users who access the feature services, causing the malicious script to execute within their browser context. The attack chain typically involves an attacker creating a feature service entry with malicious script content, which is then retrieved by legitimate users when they browse or interact with the affected services. The vulnerability is particularly dangerous because it leverages the trust relationship between the browser and the ArcGIS Server application, allowing attackers to execute code with the privileges of the victim user.
The operational impact of CVE-2023-25841 extends beyond simple script execution, potentially enabling attackers to perform a wide range of malicious activities including session hijacking, data exfiltration, and privilege escalation within the ArcGIS environment. Attackers could leverage this vulnerability to steal user credentials, access sensitive geospatial data, or even escalate their privileges to system-level access depending on the underlying architecture and user permissions. The vulnerability affects organizations that rely on ArcGIS Server for mapping and spatial data management, potentially compromising critical infrastructure data and operational security. Organizations using the affected versions may face regulatory compliance issues and potential data breaches that could result in significant financial and reputational damage. The persistence of the stored content means that the attack can continue to affect users over extended periods, making it difficult to contain and remediate without comprehensive system scanning and content review processes.
The primary mitigation strategy recommended by Esri involves disabling anonymous access to ArcGIS Feature services that possess edit capabilities, effectively preventing unauthenticated users from creating content that could be exploited. This approach aligns with the principle of least privilege and helps reduce the attack surface by ensuring that only authenticated users with appropriate permissions can modify content within the system. Additional security measures should include implementing proper input validation and output encoding for all user-supplied content, deploying web application firewalls to filter malicious payloads, and conducting regular security assessments of the ArcGIS Server configuration. Organizations should also consider implementing network segmentation to isolate ArcGIS Server components from less secure network zones, and establish monitoring procedures to detect unusual content creation patterns that might indicate exploitation attempts. The mitigation strategy reflects ATT&CK technique T1566.001 for credential harvesting through social engineering and T1059.007 for script execution via web shells, making it essential for organizations to implement layered defensive measures. Regular patching and updating of ArcGIS Server installations to versions that address this vulnerability should be prioritized alongside these operational controls to ensure comprehensive protection against this and similar threats.