Search criteria
213 vulnerabilities found for portal_for_arcgis by esri
FKIE_CVE-2025-57879
Vulnerability from fkie_nvd - Published: 2025-09-29 19:15 - Updated: 2025-10-17 14:15
Severity ?
Summary
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 11.0 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:-:*:*:*:*:*:*",
"matchCriteriaId": "43F37C65-CBEC-4688-8DB4-B58C83EEBC92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "A97FDB6F-0614-4F4A-91F1-09C230ED5E3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "7770A56F-0801-4982-828E-F43446224608",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2A62FCB5-12A6-487C-BCA9-0AD3F11354CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:-:*:*:*:*:*:*",
"matchCriteriaId": "57DA68A3-0E09-4C8C-A98E-B027964FA17A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "C3A6B038-6C92-4A34-B980-E3872265FF89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "4DA6D70E-60D6-4CE6-AFA4-7BB191A23E3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "9FCD40AD-6D5B-498C-AFD7-B84B4FD1E3F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "3E2AE6CA-0F8E-4D40-94E3-FEAB2E7E2CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:-:*:*:*:*:*:*",
"matchCriteriaId": "3460737E-3181-4FCB-9A2B-D4C27C5FC774",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "E56FFF86-E366-4910-8ECB-9F93F903762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "F299D739-C8EA-4BEC-A356-3ED7F49A9A3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "8B46D70A-E101-407D-B326-034232260364",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "021904ED-87FD-4FB4-BCC8-DE89DB05FB66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:-:*:*:*:*:*:*",
"matchCriteriaId": "CF8719BA-95F6-4AB6-8A86-6742BE828260",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "7C19F9C7-F687-4865-8535-2E99E0AB0157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "FC7EED3B-056E-4B86-94E4-FF0B62E376CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:-:*:*:*:*:*:*",
"matchCriteriaId": "532CBBBF-BB12-483C-A996-A7DE7F0330A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "967840A2-98F6-4729-B979-32628AA34F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "278C5760-3183-4A79-BE1F-A280BD5A3274",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks."
}
],
"id": "CVE-2025-57879",
"lastModified": "2025-10-17T14:15:25.803",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-09-29T19:15:37.227",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory",
"Patch"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-57878
Vulnerability from fkie_nvd - Published: 2025-09-29 19:15 - Updated: 2025-10-17 14:15
Severity ?
Summary
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 11.0 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:-:*:*:*:*:*:*",
"matchCriteriaId": "43F37C65-CBEC-4688-8DB4-B58C83EEBC92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "A97FDB6F-0614-4F4A-91F1-09C230ED5E3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "7770A56F-0801-4982-828E-F43446224608",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2A62FCB5-12A6-487C-BCA9-0AD3F11354CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:-:*:*:*:*:*:*",
"matchCriteriaId": "57DA68A3-0E09-4C8C-A98E-B027964FA17A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "C3A6B038-6C92-4A34-B980-E3872265FF89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "4DA6D70E-60D6-4CE6-AFA4-7BB191A23E3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "9FCD40AD-6D5B-498C-AFD7-B84B4FD1E3F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "3E2AE6CA-0F8E-4D40-94E3-FEAB2E7E2CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:-:*:*:*:*:*:*",
"matchCriteriaId": "3460737E-3181-4FCB-9A2B-D4C27C5FC774",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "E56FFF86-E366-4910-8ECB-9F93F903762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "F299D739-C8EA-4BEC-A356-3ED7F49A9A3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "8B46D70A-E101-407D-B326-034232260364",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "021904ED-87FD-4FB4-BCC8-DE89DB05FB66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:-:*:*:*:*:*:*",
"matchCriteriaId": "CF8719BA-95F6-4AB6-8A86-6742BE828260",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "7C19F9C7-F687-4865-8535-2E99E0AB0157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "FC7EED3B-056E-4B86-94E4-FF0B62E376CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:-:*:*:*:*:*:*",
"matchCriteriaId": "532CBBBF-BB12-483C-A996-A7DE7F0330A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "967840A2-98F6-4729-B979-32628AA34F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "278C5760-3183-4A79-BE1F-A280BD5A3274",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks."
}
],
"id": "CVE-2025-57878",
"lastModified": "2025-10-17T14:15:18.050",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-09-29T19:15:37.063",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory",
"Patch"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-57876
Vulnerability from fkie_nvd - Published: 2025-09-29 19:15 - Updated: 2025-10-17 14:15
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 11.0 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:-:*:*:*:*:*:*",
"matchCriteriaId": "43F37C65-CBEC-4688-8DB4-B58C83EEBC92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "A97FDB6F-0614-4F4A-91F1-09C230ED5E3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "7770A56F-0801-4982-828E-F43446224608",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2A62FCB5-12A6-487C-BCA9-0AD3F11354CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:-:*:*:*:*:*:*",
"matchCriteriaId": "57DA68A3-0E09-4C8C-A98E-B027964FA17A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "C3A6B038-6C92-4A34-B980-E3872265FF89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "4DA6D70E-60D6-4CE6-AFA4-7BB191A23E3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "9FCD40AD-6D5B-498C-AFD7-B84B4FD1E3F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "3E2AE6CA-0F8E-4D40-94E3-FEAB2E7E2CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:-:*:*:*:*:*:*",
"matchCriteriaId": "3460737E-3181-4FCB-9A2B-D4C27C5FC774",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "E56FFF86-E366-4910-8ECB-9F93F903762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "F299D739-C8EA-4BEC-A356-3ED7F49A9A3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "8B46D70A-E101-407D-B326-034232260364",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "021904ED-87FD-4FB4-BCC8-DE89DB05FB66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:-:*:*:*:*:*:*",
"matchCriteriaId": "CF8719BA-95F6-4AB6-8A86-6742BE828260",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "7C19F9C7-F687-4865-8535-2E99E0AB0157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "FC7EED3B-056E-4B86-94E4-FF0B62E376CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:-:*:*:*:*:*:*",
"matchCriteriaId": "532CBBBF-BB12-483C-A996-A7DE7F0330A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "967840A2-98F6-4729-B979-32628AA34F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "278C5760-3183-4A79-BE1F-A280BD5A3274",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal."
}
],
"id": "CVE-2025-57876",
"lastModified": "2025-10-17T14:15:05.600",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-09-29T19:15:36.720",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory",
"Patch"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-57875
Vulnerability from fkie_nvd - Published: 2025-09-29 19:15 - Updated: 2025-10-17 14:14
Severity ?
Summary
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 11.0 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:-:*:*:*:*:*:*",
"matchCriteriaId": "43F37C65-CBEC-4688-8DB4-B58C83EEBC92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "A97FDB6F-0614-4F4A-91F1-09C230ED5E3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "7770A56F-0801-4982-828E-F43446224608",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2A62FCB5-12A6-487C-BCA9-0AD3F11354CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:-:*:*:*:*:*:*",
"matchCriteriaId": "57DA68A3-0E09-4C8C-A98E-B027964FA17A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "C3A6B038-6C92-4A34-B980-E3872265FF89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "4DA6D70E-60D6-4CE6-AFA4-7BB191A23E3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "9FCD40AD-6D5B-498C-AFD7-B84B4FD1E3F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "3E2AE6CA-0F8E-4D40-94E3-FEAB2E7E2CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:-:*:*:*:*:*:*",
"matchCriteriaId": "3460737E-3181-4FCB-9A2B-D4C27C5FC774",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "E56FFF86-E366-4910-8ECB-9F93F903762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "F299D739-C8EA-4BEC-A356-3ED7F49A9A3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "8B46D70A-E101-407D-B326-034232260364",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "021904ED-87FD-4FB4-BCC8-DE89DB05FB66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:-:*:*:*:*:*:*",
"matchCriteriaId": "CF8719BA-95F6-4AB6-8A86-6742BE828260",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "7C19F9C7-F687-4865-8535-2E99E0AB0157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "FC7EED3B-056E-4B86-94E4-FF0B62E376CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:-:*:*:*:*:*:*",
"matchCriteriaId": "532CBBBF-BB12-483C-A996-A7DE7F0330A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "967840A2-98F6-4729-B979-32628AA34F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "278C5760-3183-4A79-BE1F-A280BD5A3274",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"id": "CVE-2025-57875",
"lastModified": "2025-10-17T14:14:55.633",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-09-29T19:15:36.560",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-57874
Vulnerability from fkie_nvd - Published: 2025-09-29 19:15 - Updated: 2025-10-17 14:14
Severity ?
Summary
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 11.0 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:-:*:*:*:*:*:*",
"matchCriteriaId": "43F37C65-CBEC-4688-8DB4-B58C83EEBC92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "A97FDB6F-0614-4F4A-91F1-09C230ED5E3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "7770A56F-0801-4982-828E-F43446224608",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2A62FCB5-12A6-487C-BCA9-0AD3F11354CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:-:*:*:*:*:*:*",
"matchCriteriaId": "57DA68A3-0E09-4C8C-A98E-B027964FA17A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "C3A6B038-6C92-4A34-B980-E3872265FF89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "4DA6D70E-60D6-4CE6-AFA4-7BB191A23E3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "9FCD40AD-6D5B-498C-AFD7-B84B4FD1E3F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "3E2AE6CA-0F8E-4D40-94E3-FEAB2E7E2CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:-:*:*:*:*:*:*",
"matchCriteriaId": "3460737E-3181-4FCB-9A2B-D4C27C5FC774",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "E56FFF86-E366-4910-8ECB-9F93F903762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "F299D739-C8EA-4BEC-A356-3ED7F49A9A3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "8B46D70A-E101-407D-B326-034232260364",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "021904ED-87FD-4FB4-BCC8-DE89DB05FB66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:-:*:*:*:*:*:*",
"matchCriteriaId": "CF8719BA-95F6-4AB6-8A86-6742BE828260",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "7C19F9C7-F687-4865-8535-2E99E0AB0157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "FC7EED3B-056E-4B86-94E4-FF0B62E376CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:-:*:*:*:*:*:*",
"matchCriteriaId": "532CBBBF-BB12-483C-A996-A7DE7F0330A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "967840A2-98F6-4729-B979-32628AA34F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "278C5760-3183-4A79-BE1F-A280BD5A3274",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"id": "CVE-2025-57874",
"lastModified": "2025-10-17T14:14:46.523",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-09-29T19:15:36.400",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-57873
Vulnerability from fkie_nvd - Published: 2025-09-29 19:15 - Updated: 2025-10-17 14:14
Severity ?
Summary
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 11.0 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:-:*:*:*:*:*:*",
"matchCriteriaId": "43F37C65-CBEC-4688-8DB4-B58C83EEBC92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "A97FDB6F-0614-4F4A-91F1-09C230ED5E3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "7770A56F-0801-4982-828E-F43446224608",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2A62FCB5-12A6-487C-BCA9-0AD3F11354CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:-:*:*:*:*:*:*",
"matchCriteriaId": "57DA68A3-0E09-4C8C-A98E-B027964FA17A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "C3A6B038-6C92-4A34-B980-E3872265FF89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "4DA6D70E-60D6-4CE6-AFA4-7BB191A23E3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "9FCD40AD-6D5B-498C-AFD7-B84B4FD1E3F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "3E2AE6CA-0F8E-4D40-94E3-FEAB2E7E2CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:-:*:*:*:*:*:*",
"matchCriteriaId": "3460737E-3181-4FCB-9A2B-D4C27C5FC774",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "E56FFF86-E366-4910-8ECB-9F93F903762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "F299D739-C8EA-4BEC-A356-3ED7F49A9A3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "8B46D70A-E101-407D-B326-034232260364",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "021904ED-87FD-4FB4-BCC8-DE89DB05FB66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:-:*:*:*:*:*:*",
"matchCriteriaId": "CF8719BA-95F6-4AB6-8A86-6742BE828260",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "7C19F9C7-F687-4865-8535-2E99E0AB0157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "FC7EED3B-056E-4B86-94E4-FF0B62E376CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:-:*:*:*:*:*:*",
"matchCriteriaId": "532CBBBF-BB12-483C-A996-A7DE7F0330A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "967840A2-98F6-4729-B979-32628AA34F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "278C5760-3183-4A79-BE1F-A280BD5A3274",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"id": "CVE-2025-57873",
"lastModified": "2025-10-17T14:14:40.383",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-09-29T19:15:36.260",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-57877
Vulnerability from fkie_nvd - Published: 2025-09-29 19:15 - Updated: 2025-10-17 14:15
Severity ?
Summary
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 11.0 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:-:*:*:*:*:*:*",
"matchCriteriaId": "43F37C65-CBEC-4688-8DB4-B58C83EEBC92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "A97FDB6F-0614-4F4A-91F1-09C230ED5E3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "7770A56F-0801-4982-828E-F43446224608",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2A62FCB5-12A6-487C-BCA9-0AD3F11354CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:-:*:*:*:*:*:*",
"matchCriteriaId": "57DA68A3-0E09-4C8C-A98E-B027964FA17A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "C3A6B038-6C92-4A34-B980-E3872265FF89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "4DA6D70E-60D6-4CE6-AFA4-7BB191A23E3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "9FCD40AD-6D5B-498C-AFD7-B84B4FD1E3F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "3E2AE6CA-0F8E-4D40-94E3-FEAB2E7E2CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:-:*:*:*:*:*:*",
"matchCriteriaId": "3460737E-3181-4FCB-9A2B-D4C27C5FC774",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "E56FFF86-E366-4910-8ECB-9F93F903762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "F299D739-C8EA-4BEC-A356-3ED7F49A9A3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "8B46D70A-E101-407D-B326-034232260364",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "021904ED-87FD-4FB4-BCC8-DE89DB05FB66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:-:*:*:*:*:*:*",
"matchCriteriaId": "CF8719BA-95F6-4AB6-8A86-6742BE828260",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "7C19F9C7-F687-4865-8535-2E99E0AB0157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "FC7EED3B-056E-4B86-94E4-FF0B62E376CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:-:*:*:*:*:*:*",
"matchCriteriaId": "532CBBBF-BB12-483C-A996-A7DE7F0330A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "967840A2-98F6-4729-B979-32628AA34F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "278C5760-3183-4A79-BE1F-A280BD5A3274",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"id": "CVE-2025-57877",
"lastModified": "2025-10-17T14:15:14.017",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-09-29T19:15:36.880",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory",
"Patch"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-57872
Vulnerability from fkie_nvd - Published: 2025-09-29 19:15 - Updated: 2025-10-17 14:14
Severity ?
Summary
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 11.0 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:-:*:*:*:*:*:*",
"matchCriteriaId": "43F37C65-CBEC-4688-8DB4-B58C83EEBC92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "A97FDB6F-0614-4F4A-91F1-09C230ED5E3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "7770A56F-0801-4982-828E-F43446224608",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2A62FCB5-12A6-487C-BCA9-0AD3F11354CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:-:*:*:*:*:*:*",
"matchCriteriaId": "57DA68A3-0E09-4C8C-A98E-B027964FA17A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "C3A6B038-6C92-4A34-B980-E3872265FF89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "4DA6D70E-60D6-4CE6-AFA4-7BB191A23E3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "9FCD40AD-6D5B-498C-AFD7-B84B4FD1E3F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "3E2AE6CA-0F8E-4D40-94E3-FEAB2E7E2CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:-:*:*:*:*:*:*",
"matchCriteriaId": "3460737E-3181-4FCB-9A2B-D4C27C5FC774",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "E56FFF86-E366-4910-8ECB-9F93F903762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "F299D739-C8EA-4BEC-A356-3ED7F49A9A3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "8B46D70A-E101-407D-B326-034232260364",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "021904ED-87FD-4FB4-BCC8-DE89DB05FB66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:-:*:*:*:*:*:*",
"matchCriteriaId": "CF8719BA-95F6-4AB6-8A86-6742BE828260",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "7C19F9C7-F687-4865-8535-2E99E0AB0157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "FC7EED3B-056E-4B86-94E4-FF0B62E376CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:-:*:*:*:*:*:*",
"matchCriteriaId": "532CBBBF-BB12-483C-A996-A7DE7F0330A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "967840A2-98F6-4729-B979-32628AA34F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "278C5760-3183-4A79-BE1F-A280BD5A3274",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks."
}
],
"id": "CVE-2025-57872",
"lastModified": "2025-10-17T14:14:32.447",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-09-29T19:15:36.117",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-57871
Vulnerability from fkie_nvd - Published: 2025-09-29 19:15 - Updated: 2025-10-17 14:08
Severity ?
Summary
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 10.9.1 | |
| esri | portal_for_arcgis | 11.0 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.1 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.2 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.3 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 | |
| esri | portal_for_arcgis | 11.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:-:*:*:*:*:*:*",
"matchCriteriaId": "43F37C65-CBEC-4688-8DB4-B58C83EEBC92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "A97FDB6F-0614-4F4A-91F1-09C230ED5E3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.9.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "7770A56F-0801-4982-828E-F43446224608",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2A62FCB5-12A6-487C-BCA9-0AD3F11354CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:-:*:*:*:*:*:*",
"matchCriteriaId": "57DA68A3-0E09-4C8C-A98E-B027964FA17A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "C3A6B038-6C92-4A34-B980-E3872265FF89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "4DA6D70E-60D6-4CE6-AFA4-7BB191A23E3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "9FCD40AD-6D5B-498C-AFD7-B84B4FD1E3F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.1:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "3E2AE6CA-0F8E-4D40-94E3-FEAB2E7E2CF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:-:*:*:*:*:*:*",
"matchCriteriaId": "3460737E-3181-4FCB-9A2B-D4C27C5FC774",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update1:*:*:*:*:*:*",
"matchCriteriaId": "E56FFF86-E366-4910-8ECB-9F93F903762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2024_update2:*:*:*:*:*:*",
"matchCriteriaId": "F299D739-C8EA-4BEC-A356-3ED7F49A9A3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "8B46D70A-E101-407D-B326-034232260364",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.2:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "021904ED-87FD-4FB4-BCC8-DE89DB05FB66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:-:*:*:*:*:*:*",
"matchCriteriaId": "CF8719BA-95F6-4AB6-8A86-6742BE828260",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "7C19F9C7-F687-4865-8535-2E99E0AB0157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.3:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "FC7EED3B-056E-4B86-94E4-FF0B62E376CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:-:*:*:*:*:*:*",
"matchCriteriaId": "532CBBBF-BB12-483C-A996-A7DE7F0330A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update1:*:*:*:*:*:*",
"matchCriteriaId": "967840A2-98F6-4729-B979-32628AA34F38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:11.4:security_2025_update2:*:*:*:*:*:*",
"matchCriteriaId": "278C5760-3183-4A79-BE1F-A280BD5A3274",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"id": "CVE-2025-57871",
"lastModified": "2025-10-17T14:08:29.920",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-09-29T19:15:35.950",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-55105
Vulnerability from fkie_nvd - Published: 2025-08-21 20:15 - Updated: 2025-09-05 15:10
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | portal_for_arcgis | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*",
"matchCriteriaId": "411A5FAD-ED38-471B-8A18-F809D9DEBD7D",
"versionEndIncluding": "11.4",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 \u2013 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de Cross-Site Scripting almacenado en las versiones 10.9.1 a 11.4 de Esri Portal for ArcGIS Enterprise Sites. Esta vulnerabilidad podr\u00eda permitir que un atacante remoto autenticado inyecte un archivo malicioso con un script XSS incrustado que, al cargarse, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios requeridos para ejecutar este ataque son altos. El ataque podr\u00eda revelar un token privilegiado, lo que podr\u00eda permitir al atacante obtener el control total del Portal."
}
],
"id": "CVE-2025-55105",
"lastModified": "2025-09-05T15:10:54.547",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-08-21T20:15:46.483",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/2925891-2"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-55107
Vulnerability from fkie_nvd - Published: 2025-08-21 20:15 - Updated: 2025-09-05 15:11
Severity ?
Summary
There is a stored
Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites
versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to
inject malicious a file with an embedded xss script which when loaded could
potentially execute arbitrary JavaScript code in the victim’s browser. The
privileges required to execute this attack are high. The attack could
disclose a privileged token which may result in the attacker gaining full
control of the Portal.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | portal_for_arcgis | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*",
"matchCriteriaId": "411A5FAD-ED38-471B-8A18-F809D9DEBD7D",
"versionEndIncluding": "11.4",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored\n Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites\n versions 10.9.1 \u2013 11.4 that may allow a remote, authenticated attacker to\n inject malicious a file with an embedded xss script which when loaded could\n potentially execute arbitrary JavaScript code in the victim\u2019s browser. The\n privileges required to execute this attack are high. The attack could\n disclose a privileged token which may result in the attacker gaining full\n control of the Portal."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de Cross-Site Scripting almacenado en las versiones 10.9.1 a 11.4 de Esri Portal for ArcGIS Enterprise Sites. Esta vulnerabilidad podr\u00eda permitir que un atacante remoto autenticado inyecte un archivo malicioso con un script XSS incrustado que, al cargarse, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios requeridos para ejecutar este ataque son altos. El ataque podr\u00eda revelar un token privilegiado, lo que podr\u00eda permitir al atacante obtener el control total del Portal."
}
],
"id": "CVE-2025-55107",
"lastModified": "2025-09-05T15:11:57.197",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-08-21T20:15:46.867",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/2925891-2"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-55104
Vulnerability from fkie_nvd - Published: 2025-08-21 20:15 - Updated: 2025-09-05 15:10
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability exists ArcGIS HUB and ArcGIS Enterprise Sites which allows an authenticated user with the ability to create or edit a site to add and store an XSS payload. If this stored XSS payload is triggered by any user attacker supplied JavaScript may execute in the victim's browser.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | portal_for_arcgis | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*",
"matchCriteriaId": "411A5FAD-ED38-471B-8A18-F809D9DEBD7D",
"versionEndIncluding": "11.4",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists ArcGIS HUB and ArcGIS Enterprise Sites which allows an authenticated user with the ability to create or edit a site to add and store an XSS payload. If this stored XSS payload is triggered by any user attacker supplied JavaScript may execute in the victim\u0027s browser."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting (XSS) almacenado en ArcGIS HUB y ArcGIS Enterprise Sites. Esta vulnerabilidad permite que un usuario autenticado, al crear o editar un sitio, agregue y almacene un payload XSS. Si cualquier usuario activa este payload XSS almacenado, el atacante podr\u00eda ejecutar JavaScript en el navegador de la v\u00edctima."
}
],
"id": "CVE-2025-55104",
"lastModified": "2025-09-05T15:10:03.933",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-08-21T20:15:46.287",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/2925891-2"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
CVE-2025-57871 (GCVE-0-2025-57871)
Vulnerability from cvelistv5 – Published: 2025-09-29 18:39 – Updated: 2025-09-29 18:51
VLAI?
Summary
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57871",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T18:51:01.078129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:51:37.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:39:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. \u003cbr\u003e\u003cbr\u003e"
}
],
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:43:12.156Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"defect": [
"BUG-000174020"
],
"discovery": "UNKNOWN"
},
"title": "BUG-000174020 -\u00a0Reflected XSS vulnerability identified in Portal for ArcGIS. (11.3, 11.1, 10.9.1)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57871",
"datePublished": "2025-09-29T18:39:13.631Z",
"dateReserved": "2025-08-21T19:31:57.229Z",
"dateUpdated": "2025-09-29T18:51:37.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57872 (GCVE-0-2025-57872)
Vulnerability from cvelistv5 – Published: 2025-09-29 18:38 – Updated: 2025-09-29 18:54
VLAI?
Summary
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
Severity ?
6.1 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T18:54:45.460956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:54:57.118Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks."
}
],
"impacts": [
{
"capecId": "CAPEC-109",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-109 Object Relational Mapping Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:38:55.362Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"defect": [
"BUG-000174150"
],
"discovery": "UNKNOWN"
},
"title": "BUG-000174150 - Unvalidated redirect in Portal for ArcGIS.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57872",
"datePublished": "2025-09-29T18:38:34.529Z",
"dateReserved": "2025-08-21T19:31:57.229Z",
"dateUpdated": "2025-09-29T18:54:57.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57873 (GCVE-0-2025-57873)
Vulnerability from cvelistv5 – Published: 2025-09-29 18:37 – Updated: 2025-09-29 19:09
VLAI?
Summary
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T19:09:25.926817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T19:09:37.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. \u003cbr\u003e\u003cbr\u003e"
}
],
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:37:58.573Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"defect": [
"BUG-000175222"
],
"discovery": "UNKNOWN"
},
"title": "BUG-000175222 - Reflected XSS vulnerability in Portal for ArcGIS.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57873",
"datePublished": "2025-09-29T18:37:54.701Z",
"dateReserved": "2025-08-21T19:31:57.229Z",
"dateUpdated": "2025-09-29T19:09:37.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57874 (GCVE-0-2025-57874)
Vulnerability from cvelistv5 – Published: 2025-09-29 18:37 – Updated: 2025-09-29 19:11
VLAI?
Summary
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57874",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T19:10:54.072055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T19:11:05.059Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. \u003cbr\u003e\u003cbr\u003e"
}
],
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:37:33.834Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"defect": [
"BUG-000161627"
],
"discovery": "UNKNOWN"
},
"title": "BUG-000161627 -\u00a0Reflected XSS vulnerability in Portal for ArcGIS.\u00a0 (11.3, 11.1, 10.9.1)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57874",
"datePublished": "2025-09-29T18:37:16.737Z",
"dateReserved": "2025-08-21T19:31:57.229Z",
"dateUpdated": "2025-09-29T19:11:05.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57875 (GCVE-0-2025-57875)
Vulnerability from cvelistv5 – Published: 2025-09-29 18:35 – Updated: 2025-09-29 20:00
VLAI?
Summary
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57875",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T20:00:01.089720Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T20:00:18.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:35:34.753Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"defect": [
"BUG-000164122"
],
"discovery": "UNKNOWN"
},
"title": "BUG-000164122 - Reflected XSS vulnerability in Portal for ArcGIS.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57875",
"datePublished": "2025-09-29T18:35:34.753Z",
"dateReserved": "2025-08-21T19:31:58.712Z",
"dateUpdated": "2025-09-29T20:00:18.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57877 (GCVE-0-2025-57877)
Vulnerability from cvelistv5 – Published: 2025-09-29 18:34 – Updated: 2025-09-29 19:53
VLAI?
Summary
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57877",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T19:53:42.520178Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T19:53:54.356Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:34:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.\u003cbr\u003e"
}
],
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:34:59.201Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"advisory": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administr",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS vulnerability in Portal for ArcGIS.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57877",
"datePublished": "2025-09-29T18:34:59.201Z",
"dateReserved": "2025-08-21T19:31:58.713Z",
"dateUpdated": "2025-09-29T19:53:54.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57878 (GCVE-0-2025-57878)
Vulnerability from cvelistv5 – Published: 2025-09-29 18:33 – Updated: 2025-09-29 19:53
VLAI?
Summary
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
Severity ?
6.1 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T19:53:05.497369Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T19:53:18.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks."
}
],
"value": "There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks."
}
],
"impacts": [
{
"capecId": "CAPEC-109",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-109 Object Relational Mapping Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:34:24.998Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"advisory": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administr",
"defect": [
"BUG-000174149"
],
"discovery": "UNKNOWN"
},
"title": "BUG-000174149 -\u00a0The Portal for ArcGIS has an unvalidated redirect.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57878",
"datePublished": "2025-09-29T18:33:59.071Z",
"dateReserved": "2025-08-21T19:31:58.713Z",
"dateUpdated": "2025-09-29T19:53:18.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57879 (GCVE-0-2025-57879)
Vulnerability from cvelistv5 – Published: 2025-09-29 18:33 – Updated: 2025-09-29 19:52
VLAI?
Summary
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
Severity ?
6.1 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57879",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T19:52:33.634419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T19:52:42.354Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"iOS"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks."
}
],
"value": "There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks."
}
],
"impacts": [
{
"capecId": "CAPEC-109",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-109 Object Relational Mapping Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:33:32.473Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"advisory": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administr",
"defect": [
"BUG-000171009"
],
"discovery": "UNKNOWN"
},
"title": "BUG-000171009 -\u00a0URL manipulation vulnerability in Portal for ArcGIS.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57879",
"datePublished": "2025-09-29T18:33:06.669Z",
"dateReserved": "2025-08-21T19:31:58.713Z",
"dateUpdated": "2025-09-29T19:52:42.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57876 (GCVE-0-2025-57876)
Vulnerability from cvelistv5 – Published: 2025-09-29 18:32 – Updated: 2025-09-29 19:52
VLAI?
Summary
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T19:52:09.396974Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T19:52:16.857Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:31:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.\u003cbr\u003e"
}
],
"value": "There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:32:20.557Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS vulnerability in Portal for ArcGIS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57876",
"datePublished": "2025-09-29T18:32:20.557Z",
"dateReserved": "2025-08-21T19:31:58.713Z",
"dateUpdated": "2025-09-29T19:52:16.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57871 (GCVE-0-2025-57871)
Vulnerability from nvd – Published: 2025-09-29 18:39 – Updated: 2025-09-29 18:51
VLAI?
Summary
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57871",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T18:51:01.078129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:51:37.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:39:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. \u003cbr\u003e\u003cbr\u003e"
}
],
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:43:12.156Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"defect": [
"BUG-000174020"
],
"discovery": "UNKNOWN"
},
"title": "BUG-000174020 -\u00a0Reflected XSS vulnerability identified in Portal for ArcGIS. (11.3, 11.1, 10.9.1)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57871",
"datePublished": "2025-09-29T18:39:13.631Z",
"dateReserved": "2025-08-21T19:31:57.229Z",
"dateUpdated": "2025-09-29T18:51:37.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57872 (GCVE-0-2025-57872)
Vulnerability from nvd – Published: 2025-09-29 18:38 – Updated: 2025-09-29 18:54
VLAI?
Summary
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
Severity ?
6.1 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T18:54:45.460956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:54:57.118Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks."
}
],
"impacts": [
{
"capecId": "CAPEC-109",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-109 Object Relational Mapping Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:38:55.362Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"defect": [
"BUG-000174150"
],
"discovery": "UNKNOWN"
},
"title": "BUG-000174150 - Unvalidated redirect in Portal for ArcGIS.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57872",
"datePublished": "2025-09-29T18:38:34.529Z",
"dateReserved": "2025-08-21T19:31:57.229Z",
"dateUpdated": "2025-09-29T18:54:57.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57873 (GCVE-0-2025-57873)
Vulnerability from nvd – Published: 2025-09-29 18:37 – Updated: 2025-09-29 19:09
VLAI?
Summary
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T19:09:25.926817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T19:09:37.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. \u003cbr\u003e\u003cbr\u003e"
}
],
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:37:58.573Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"defect": [
"BUG-000175222"
],
"discovery": "UNKNOWN"
},
"title": "BUG-000175222 - Reflected XSS vulnerability in Portal for ArcGIS.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57873",
"datePublished": "2025-09-29T18:37:54.701Z",
"dateReserved": "2025-08-21T19:31:57.229Z",
"dateUpdated": "2025-09-29T19:09:37.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57874 (GCVE-0-2025-57874)
Vulnerability from nvd – Published: 2025-09-29 18:37 – Updated: 2025-09-29 19:11
VLAI?
Summary
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57874",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T19:10:54.072055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T19:11:05.059Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. \u003cbr\u003e\u003cbr\u003e"
}
],
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:37:33.834Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"defect": [
"BUG-000161627"
],
"discovery": "UNKNOWN"
},
"title": "BUG-000161627 -\u00a0Reflected XSS vulnerability in Portal for ArcGIS.\u00a0 (11.3, 11.1, 10.9.1)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57874",
"datePublished": "2025-09-29T18:37:16.737Z",
"dateReserved": "2025-08-21T19:31:57.229Z",
"dateUpdated": "2025-09-29T19:11:05.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57875 (GCVE-0-2025-57875)
Vulnerability from nvd – Published: 2025-09-29 18:35 – Updated: 2025-09-29 20:00
VLAI?
Summary
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57875",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T20:00:01.089720Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T20:00:18.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:35:34.753Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"defect": [
"BUG-000164122"
],
"discovery": "UNKNOWN"
},
"title": "BUG-000164122 - Reflected XSS vulnerability in Portal for ArcGIS.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57875",
"datePublished": "2025-09-29T18:35:34.753Z",
"dateReserved": "2025-08-21T19:31:58.712Z",
"dateUpdated": "2025-09-29T20:00:18.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57877 (GCVE-0-2025-57877)
Vulnerability from nvd – Published: 2025-09-29 18:34 – Updated: 2025-09-29 19:53
VLAI?
Summary
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57877",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T19:53:42.520178Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T19:53:54.356Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:34:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.\u003cbr\u003e"
}
],
"value": "There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:34:59.201Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"advisory": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administr",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS vulnerability in Portal for ArcGIS.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57877",
"datePublished": "2025-09-29T18:34:59.201Z",
"dateReserved": "2025-08-21T19:31:58.713Z",
"dateUpdated": "2025-09-29T19:53:54.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57878 (GCVE-0-2025-57878)
Vulnerability from nvd – Published: 2025-09-29 18:33 – Updated: 2025-09-29 19:53
VLAI?
Summary
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
Severity ?
6.1 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T19:53:05.497369Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T19:53:18.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks."
}
],
"value": "There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks."
}
],
"impacts": [
{
"capecId": "CAPEC-109",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-109 Object Relational Mapping Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:34:24.998Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"advisory": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administr",
"defect": [
"BUG-000174149"
],
"discovery": "UNKNOWN"
},
"title": "BUG-000174149 -\u00a0The Portal for ArcGIS has an unvalidated redirect.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57878",
"datePublished": "2025-09-29T18:33:59.071Z",
"dateReserved": "2025-08-21T19:31:58.713Z",
"dateUpdated": "2025-09-29T19:53:18.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57879 (GCVE-0-2025-57879)
Vulnerability from nvd – Published: 2025-09-29 18:33 – Updated: 2025-09-29 19:52
VLAI?
Summary
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
Severity ?
6.1 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57879",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T19:52:33.634419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T19:52:42.354Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"iOS"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks."
}
],
"value": "There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks."
}
],
"impacts": [
{
"capecId": "CAPEC-109",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-109 Object Relational Mapping Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:33:32.473Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"advisory": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administr",
"defect": [
"BUG-000171009"
],
"discovery": "UNKNOWN"
},
"title": "BUG-000171009 -\u00a0URL manipulation vulnerability in Portal for ArcGIS.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57879",
"datePublished": "2025-09-29T18:33:06.669Z",
"dateReserved": "2025-08-21T19:31:58.713Z",
"dateUpdated": "2025-09-29T19:52:42.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57876 (GCVE-0-2025-57876)
Vulnerability from nvd – Published: 2025-09-29 18:32 – Updated: 2025-09-29 19:52
VLAI?
Summary
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | Portal for ArcGIS |
Affected:
10.9.1 , ≤ 11.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T19:52:09.396974Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T19:52:16.857Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Portal for ArcGIS",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.4",
"status": "affected",
"version": "10.9.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-09-29T18:31:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.\u003cbr\u003e"
}
],
"value": "There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T18:32:20.557Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS vulnerability in Portal for ArcGIS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57876",
"datePublished": "2025-09-29T18:32:20.557Z",
"dateReserved": "2025-08-21T19:31:58.713Z",
"dateUpdated": "2025-09-29T19:52:16.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}