6.9
CVE-2024-47764 - cookie accepts cookie name, path, and domain with out of bounds characters
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7…
7.5
CVE-2024-38040 - BUG-000167984 - Portal for ArcGIS has a Local file inclusion (LFI) vulnerability
There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files.
6.1
CVE-2024-38038 - BUG-000165732 - Reflected XSS in Portal for ArcGIS
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
6.1
CVE-2024-25691 - BUG-000165286 - Reflected XSS in Portal for ArcGIS
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
4.8
CVE-2024-25694 - BUG-000163019 - Stored XSS in Portal for ArcGIS
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the Layer Showcase application configuration which when clicked could potentially execute arbi…
4.8
CVE-2024-25701 - BUG-000160765 - Stored XSS in ArcGIS Experience Builder
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Experience Builder versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the Experience Builder Embed widget which when loaded could potentially exe…
4.8
CVE-2024-25702 - BUG-000160599 - Stored XSS in Portal for ArcGIS Web App Builder
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the site configuration which when clicked could potentially execute arbitrary JavaScript…
4.8
CVE-2024-25707 - BUG-000160241 - Reflected XSS in Portal for ArcGIS
There is a reflected cross site scripting in Esri Portal for ArcGIS 11.1 and below on Windows and Linux x64 allows a remote authenticated attacker with administrative access to supply a crafted string which could potentially execute arbitrary JavaScript code in the their own browser (Self XSS). A u…
5.4
CVE-2024-38036 - BUG-000154827 - Reflected XSS in ArcGIS Experience Builder
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
4.6
CVE-2024-8149 - BUG-000168624 - Unvalidated redirect in Portal for ArcGIS.
There is a reflected Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.1 and 11.2 that may allow a remote, authenticated attacker with low‑privileged access to create a crafted link which, when clicked, could potentially execute arbitrary JavaScript code in the victim’s…