Esri ArcGIS Enterprise up to 11.1 Link cross site scripting 🚫 [False Positive]

Noticeinfo

⚠️ This issue seems to be a false positive. Please check the referenced sources and consider omitting this entry entirely.

Productinfo

Vendor

Name

Version

License

Timelineinfo

02/09/2024 🔍
04/04/2024 +54 days 🔍
04/04/2024 +0 days 🔍
01/06/2025 +277 days 🔍

Sourcesinfo

Advisory: esri.com
False Positive: Yes

CVE: CVE-2024-25700 (🔍)
GCVE (CVE): GCVE-0-2024-25700
GCVE (VulDB): GCVE-100-259416

Entryinfo

Created: 04/05/2024 00:02
Updated: 01/06/2025 14:06
Changes: 04/05/2024 00:02 (62), 04/05/2024 10:04 (1), 01/06/2025 14:06 (1)
Complete: 🔍
Cache ID: 216::103

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion

 Anonymous User (+0)
2 years ago
Good morning,
The official description provided by NVD Nist is:
"There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Web App Builder versions <= 11.1 that may allow a remote, authenticated attacker to create a crafted link that is stored in a web map link which when clicked could potentially execute arbitrary JavaScript code in the victim's browser. The privileges required to execute this attack are high. "
Therefore, could you also add the "esri:portal_for_arcgis" cpe?
We would appreciate it very much,
Best Rgards,
TEAM CERT
 VulDB Community Team2 years ago
Esri published the CVEs and declared the products mentioned in the JSON files. Their summaries do contradict this somehow. We have tried to align it with the best possible CPE values.

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!