CVE-2024-25709 in Portal for ArcGIS
Summary
by MITRE • 04/04/2024
There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.2 and below that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item, which could potentially execute arbitrary JavaScript code in a victim’s browser. Exploitation does not require any privileges and can be performed by an anonymous user.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/14/2026
The stored cross-site scripting vulnerability identified as CVE-2024-25709 affects Esri Portal for ArcGIS versions 11.2 and earlier, representing a critical security flaw that undermines the application's input validation mechanisms. This vulnerability exists within the item management functionality where users can move existing items between locations, creating a persistent XSS vector through crafted link manipulation. The flaw stems from insufficient sanitization of user-supplied input when processing location data during item relocation operations, allowing malicious payloads to be stored and subsequently executed in victim browsers.
The technical implementation of this vulnerability involves the application's failure to properly validate and escape user-provided data within the item movement workflow. When an attacker crafts a malicious link and saves it as a new location during an item relocation process, the system stores this crafted content without adequate sanitization. This stored payload can then be executed whenever a victim accesses the affected item or location, as the malicious JavaScript code becomes part of the application's normal response handling. The vulnerability operates at the application layer and specifically targets the web interface components responsible for rendering item location information, making it particularly dangerous in environments where multiple users interact with shared data repositories.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform various malicious activities including session hijacking, credential theft, and data exfiltration. The fact that exploitation requires no privileges and can be performed by anonymous users significantly increases the attack surface and risk exposure for organizations using affected versions. Attackers can leverage this vulnerability to establish persistent access to systems, manipulate user sessions, or redirect victims to malicious sites that can harvest sensitive information. The stored nature of the vulnerability means that once exploited, the malicious code continues to execute against all users who encounter the compromised content, potentially affecting thousands of users within an organization's portal environment.
Organizations should immediately implement mitigations including upgrading to Esri Portal for ArcGIS version 11.3 or later, which contains the necessary patches to address this vulnerability. Additionally, administrators should implement input validation controls and output encoding measures to prevent unauthorized data manipulation within the application's user interface. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws, and corresponds to ATT&CK technique T1566.001 for phishing with malicious attachments, as attackers may exploit this vulnerability to deliver malicious payloads through compromised portal content. Network segmentation and monitoring of user activity within the portal environment can help detect potential exploitation attempts, while regular security assessments should verify that all user inputs are properly sanitized before being processed or stored within the system.