CVE-2024-25704 in Portal for ArcGIS Enterprise Experience Builder
Summary
by MITRE • 04/04/2024
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Experience Builder versions <= 11.1 that may allow a remote, authenticated attacker to create a crafted link that is stored in the Experience Builder Embed widget which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/06/2025
This vulnerability represents a critical stored cross-site scripting flaw in Esri Portal for ArcGIS Enterprise Experience Builder affecting versions 11.1 and earlier. The security weakness stems from inadequate input validation and output encoding mechanisms within the Experience Builder Embed widget functionality. An attacker must first establish authenticated access to the system to exploit this vulnerability, requiring a high level of privileges that significantly limits the attack surface but does not eliminate the risk entirely.
The technical implementation flaw occurs when the system fails to properly sanitize user-supplied content before storing it in the embedded widget configuration. When a malicious user crafts a specially designed link containing executable JavaScript code and stores it within the Embed widget, the system improperly processes this input without sufficient sanitization measures. This stored payload then executes automatically whenever any user accesses the page containing the compromised embed widget, creating a persistent threat vector that can affect multiple victims over time.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with the ability to establish persistent footholds within the ArcGIS environment. Attackers could potentially steal session cookies, redirect users to malicious sites, deface content, or perform actions on behalf of authenticated users. The stored nature of the vulnerability means that even if the initial attacker's session expires, the malicious payload remains active and continues to affect subsequent users who access the compromised content. This characteristic makes the vulnerability particularly dangerous in enterprise environments where multiple users regularly interact with shared ArcGIS applications.
The vulnerability aligns with CWE-079 which specifically addresses cross-site scripting weaknesses in web applications, and follows patterns commonly associated with ATT&CK technique T1566 for spearphishing with a link. Organizations should implement immediate mitigations including applying the latest security patches from Esri, implementing strict input validation controls, and establishing content filtering mechanisms for embedded widgets. Additionally, administrators should consider implementing network-level protections such as web application firewalls and monitoring for suspicious embed widget configurations to detect potential exploitation attempts before they succeed.
Security teams should also establish comprehensive user access controls with principle of least privilege enforcement, ensuring that only authorized personnel have the ability to create or modify embed widgets within the Experience Builder environment. Regular security auditing of embedded content and automated scanning tools can help identify potentially compromised widgets before they can be exploited by malicious actors. The high privilege requirement for exploitation does not negate the need for proper security controls as attackers may attempt to escalate privileges through other vectors or exploit additional vulnerabilities within the broader ArcGIS ecosystem that could provide them with the necessary access level to execute this attack successfully.