CVE-2024-25701— Esri Portal for ArcGIS 跨站脚本漏洞

BUG-000160765 - Stored XSS in ArcGIS Experience Builder

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Experience Builder versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the Experience Builder Embed widget which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Esri Portal for ArcGIS 跨站脚本漏洞

Esri Portal For ArcGIS是美国环境系统研究所（Esri）公司的一种允许在组织内与其他人共享地图、场景、应用程序和其他地理信息的组件。 Esri Portal for ArcGIS 存在跨站脚本漏洞，该漏洞源于包含一个存储型跨站脚本漏洞。允许经过身份验证的远程攻击者创建存储在 Experience Builder Embed 小部件中的特制链接，加载后可能会在受害者的浏览器中执行任意 JavaScript 代码。

N/A

N/A