CVE-2023-25840— BUG-000154070 Stored XSS issue in the ArcGIS REST Services directory

CVSS 3.4 · Low EPSS 0.15% · P36 Updated Apr 11, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-25840

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

BUG-000154070 Stored XSS issue in the ArcGIS REST Services directory

Source: NVD (National Vulnerability Database)

Vulnerability Description

There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which onmouseover wont execute but could potentially render an image in the victims browser. The privileges required to execute this attack are high.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Source: NVD (National Vulnerability Database)

Vulnerability Title

Esri ArcGIS Server 跨站脚本漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Esri ArcGIS Server是美国环境系统研究所（Esri）公司的一个面向Web的可用于提供地理位置服务的企业级软件平台。 Esri ArcGIS Server 10.8.1至11.1版本存在跨站脚本漏洞，该漏洞源于存在跨站脚本（XSS）漏洞。攻击可利用该漏洞诱导用户点击恶意链接，并在受害者浏览器中呈现图像。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Esri	ArcGIS Enterprise Server	All ~ 11.1	-

II. Public POCs for CVE-2023-25840

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-25840

请登录查看更多情报信息。

Same Patch Batch · Esri · 2023-07-21 · 4 CVEs total

CVE-2023-25837	8.4 HIGH	BUG-000133088 - ArcGIS Enterprise site builder is subject to stored XSS.
CVE-2023-25841	6.1 MEDIUM	BUG-000158075 Stored XSS issue in ArcGIS Server
CVE-2023-25836	5.4 MEDIUM	BUG-000135364 XSS in 10.8.1 sites builder iframe source

IV. Related Vulnerabilities

Same product: ArcGIS Enterprise Server

Same vendor: Esri

Same weakness: CWE-79

V. Comments for CVE-2023-25840

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2023-25840— BUG-000154070 Stored XSS issue in the ArcGIS REST Services directory

I. Basic Information for CVE-2023-25840

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-25840

III. Intelligence Information for CVE-2023-25840

Same Patch Batch · Esri · 2023-07-21 · 4 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2023-25840

Leave a comment