cnvd - cnvd-2025-21188

CNVD-2025-21188

Vulnerability from cnvd - Published: 2025-09-12

Title

esri Portal for ArcGIS Enterprise Sites跨站脚本漏洞（CNVD-2025-21188）

Description

esri Portal for ArcGIS Enterprise Sites是ESRI推出的企业级地理信息共享平台，允许组织内用户通过门户网站查看、编辑、共享地理信息。 esri Portal for ArcGIS Enterprise Sites存在跨站脚本漏洞，该漏洞源于存储型跨站脚本漏洞，攻击者可利用该漏洞通过在用户浏览器中注入恶意脚本，执行任意JavaScript代码。

Severity

中

Patch Name

esri Portal for ArcGIS Enterprise Sites跨站脚本漏洞（CNVD-2025-21188）的补丁

Patch Description

Formal description

目前厂商已发布升级程序修复该安全问题，详情见厂商官网： https://support.esri.com/en-us/products/arcgis-enterprise/life-cycle

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-55103

Impacted products

Name
esri Portal for ArcGIS Enterprise Sites >=10.9.1，<=11.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-55103",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-55103"
    }
  },
  "description": "esri Portal for ArcGIS Enterprise Sites\u662fESRI\u63a8\u51fa\u7684\u4f01\u4e1a\u7ea7\u5730\u7406\u4fe1\u606f\u5171\u4eab\u5e73\u53f0\uff0c\u5141\u8bb8\u7ec4\u7ec7\u5185\u7528\u6237\u901a\u8fc7\u95e8\u6237\u7f51\u7ad9\u67e5\u770b\u3001\u7f16\u8f91\u3001\u5171\u4eab\u5730\u7406\u4fe1\u606f\u3002\n\nesri Portal for ArcGIS Enterprise Sites\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5b58\u50a8\u578b\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u6ce8\u5165\u6076\u610f\u811a\u672c\uff0c\u6267\u884c\u4efb\u610fJavaScript\u4ee3\u7801\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://support.esri.com/en-us/products/arcgis-enterprise/life-cycle",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-21188",
  "openTime": "2025-09-12",
  "patchDescription": "esri Portal for ArcGIS Enterprise Sites\u662fESRI\u63a8\u51fa\u7684\u4f01\u4e1a\u7ea7\u5730\u7406\u4fe1\u606f\u5171\u4eab\u5e73\u53f0\uff0c\u5141\u8bb8\u7ec4\u7ec7\u5185\u7528\u6237\u901a\u8fc7\u95e8\u6237\u7f51\u7ad9\u67e5\u770b\u3001\u7f16\u8f91\u3001\u5171\u4eab\u5730\u7406\u4fe1\u606f\u3002\r\n\r\nesri Portal for ArcGIS Enterprise Sites\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5b58\u50a8\u578b\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u6ce8\u5165\u6076\u610f\u811a\u672c\uff0c\u6267\u884c\u4efb\u610fJavaScript\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "esri Portal for ArcGIS Enterprise Sites\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2025-21188\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "esri Portal for ArcGIS Enterprise Sites \u003e=10.9.1\uff0c\u003c=11.4"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-55103",
  "serverity": "\u4e2d",
  "submitTime": "2025-08-27",
  "title": "esri Portal for ArcGIS Enterprise Sites\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2025-21188\uff09"
}

CVE-2025-55103 (GCVE-0-2025-55103)

Vulnerability from cvelistv5 – Published: 2025-08-21 19:25 – Updated: 2025-09-09 16:54

Summary

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

Esri

References

URL

Tags

https://www.esri.com/arcgis-blog/products/trust-a…

Impacted products

	Vendor	Product	Version
	Esri	Portal for ArcGIS Enterprise Sites	Affected: 10.9.1 , ≤ 11.4 (custom)

Credits

Lucas Machado

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55103",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-21T20:14:55.030823Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-21T20:15:08.064Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "Portal for ArcGIS Enterprise Sites",
          "vendor": "Esri",
          "versions": [
            {
              "lessThanOrEqual": "11.4",
              "status": "affected",
              "version": "10.9.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lucas Machado"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThere is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 \u2013 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.\u003c/span\u003e"
            }
          ],
          "value": "There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 \u2013 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-592",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-592 Stored XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T16:54:02.458Z",
        "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "shortName": "Esri"
      },
      "references": [
        {
          "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/2925891-2"
        }
      ],
      "source": {
        "defect": [
          "BUG-000177333"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "BUG-000177333 - ArcGIS Enterprise Sites has a stored Cross-site Scripting vulnerability.",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
    "assignerShortName": "Esri",
    "cveId": "CVE-2025-55103",
    "datePublished": "2025-08-21T19:25:13.460Z",
    "dateReserved": "2025-08-06T23:18:36.508Z",
    "dateUpdated": "2025-09-09T16:54:02.458Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-21188

CVE-2025-55103 (GCVE-0-2025-55103)

Tags

Sightings

Nomenclature