ArcGIS Portal 2025 Update 3 Security Patch: Path Traversal & XSS Vulnerabilities (CVE-2025-57878/57879/57872)

Key Vulnerability Information Update Version: Portal for ArcGIS Security 2025 Update 3 Patch Release Date: September 15, 2025 Key Highlights: - Medium severity patch; recommended to apply at your convenience. - Portal Patch 3 is cumulative and includes all fixes and new features from Portal Patch 1 and Portal Patch 2. Installing Portal Patch 3 will apply all necessary updates; there is no need to install previous patches separately. - Along with this patch, ensure your organization has implemented our 2025 Top 5 New Critical Best Practices. Affected CVE List and Scores: - CVE-2025-57878: CVSS v3.1 Base Score 6.1, Temporal Score 5.8 (Relative Path Traversal) - CVE-2025-57879: CVSS v3.1 Base Score 6.1, Temporal Score 5.8 (Relative Path Traversal) - CVE-2025-57872: CVSS v3.1 Base Score 6.1, Temporal Score 5.8 (Relative Path Traversal) - CVE-2025-57876: CVSS v3.1 Base Score 4.8, Temporal Score 4.6 (Improper Neutralization of Input During Web Page Generation (XSS)) - CVE-2025-57877: CVSS v3.1 Base Score 4.8, Temporal Score 4.6 (Improper Neutralization of Input During Web Page Generation (XSS)) - CVE-2025-57875: CVSS v3.1 Base Score 4.8, Temporal Score 4.6 (Improper Neutralization of Input During Web Page Generation (XSS)) - CVE-2025-57874: CVSS v3.1 Base Score 4.8, Temporal Score 4.6 (Improper Neutralization of Input During Web Page Generation (XSS)) - CVE-2025-57873: CVSS v3.1 Base Score 4.8, Temporal Score 4.6 (Improper Neutralization of Input During Web Page Generation (XSS)) - CVE-2025-57871: CVSS v3.1 Base Score 4.8, Temporal Score 4.6 (Improper Neutralization of Input During Web Page Generation (XSS)) Affected Versions: - Applies to version 11.4 and earlier. - Versions 11.5 and later are not affected, but should ensure implementation of 2025 Critical Best Practices. Additional Important Information: - Any customer using software versions in the Mature or End-of-Life status should immediately plan an upgrade to a Generally Available release. - CVSS v3.1 scores are provided to help customers assess the risk these vulnerabilities pose to their operations.

Goal Reached Thanks to every supporter — we hit 100%!

ArcGIS Portal 2025 Update 3 Security Patch: Path Traversal & XSS Vulnerabilities (CVE-2025-57878/57879/57872)