Esri Portal For Arcgis

Reflected XSS Remote Auth Admin Exec in Esri Portal for ArcGIS <=11.4
CVE-2025-57871 4.8 - Medium - September 29, 2025

There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.

XSS

Unvalidated Redirect in Esri Portal for ArcGIS <=11.4 (Remote)
CVE-2025-57872 6.1 - Medium - September 29, 2025

There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.

Open Redirect

Reflected XSS in Esri Portal for ArcGIS 11.4 & below via admin supplied string
CVE-2025-57873 4.8 - Medium - September 29, 2025

There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.

XSS

Reflected XSS in Esri Portal ArcGIS 11.4 via Admin JS
CVE-2025-57874 4.8 - Medium - September 29, 2025

There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.

XSS

Reflected XSS in Esri Portal for ArcGIS <=11.4 (Admin Only)
CVE-2025-57875 4.8 - Medium - September 29, 2025

There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.

XSS

Esri Portal for ArcGIS 11.4- Reflected XSS allows admin JS execution
CVE-2025-57877 4.8 - Medium - September 29, 2025

There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.

XSS

Unvalidated Redirect in Esri Portal for ArcGIS 11.4 and earlier
CVE-2025-57878 6.1 - Medium - September 29, 2025

There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.

Open Redirect

Esri Portal for ArcGIS <11.4 Unvalidated Redirect Enables Phishing
CVE-2025-57879 6.1 - Medium - September 29, 2025

There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.

Open Redirect

Esri Portal for ArcGIS 11.4 Stored XSS via Malicious File Upload
CVE-2025-57876 4.8 - Medium - September 29, 2025

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.

XSS

ArcGIS Portal 11.4 SSRF Bypass via SSRF protections (CVE-2025-4967)
CVE-2025-4967 9.1 - Critical - May 29, 2025

Esri Portal for ArcGIS 11.4 and prior allows a remote, unauthenticated attacker to bypass the Portals SSRF protections.

SSRF

Esri Portal for ArcGIS <=11.4: Hardcoded Credential Escalation
CVE-2025-2538 9.8 - Critical - March 20, 2025

A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system.

Use of Hard-coded Credentials

Esri Portal for ArcGIS <=11.0: HTML Injection via crafted link
CVE-2024-38039 5.4 - Medium - October 04, 2024

There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victims browser (no stateful change made or customer data rendered).

XSS

Portal for ArcGIS <=11.2 LFI Remote URL can read internal files
CVE-2024-38040 7.5 - High - October 04, 2024

There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files.

Reflected XSS in Esri Portal for ArcGIS 11.1 (remote unauthenticated)
CVE-2024-38038 6.1 - Medium - October 04, 2024

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser.

XSS

Esri Portal for ArcGIS <11.0 Unvalidated Redirect Vulnerability (CVE-2024-38037)
CVE-2024-38037 6.1 - Medium - October 04, 2024

There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.

Open Redirect

Esri Portal for ArcGIS XSS via Crafted Link <=10.9.1
CVE-2024-38036 5.4 - Medium - October 04, 2024

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser.

XSS

Esri Portal for ArcGIS 11.1 and below: Reflected XSS via SelfXSS (Admin Auth)
CVE-2024-25707 4.8 - Medium - October 04, 2024

There is a reflected cross site scripting in Esri Portal for ArcGIS 11.1 and below on Windows and Linux x64 allows a remote authenticated attacker with administrative access to supply a crafted string which could potentially execute arbitrary JavaScript code in the their own browser (Self XSS). A user cannot be phished into clicking a link to execute code.

XSS

Esri Portal Reflected XSS (<=11.1) via crafted link
CVE-2024-25691 6.1 - Medium - October 04, 2024

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser.

XSS

Esri Portal for ArcGIS Enterprise Sites <=11.1 XSS via Config Link
CVE-2024-25702 4.8 - Medium - October 04, 2024

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the site configuration which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.

XSS

Esri Portal 11.1 XSS in Experience Builder Embed Widget
CVE-2024-25701 4.8 - Medium - October 04, 2024

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Experience Builder versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the Experience Builder Embed widget which when loaded could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.

XSS

Stored XSS in Esri Portal for ArcGIS Enterprise <11.1 via Layer Showcase Config
CVE-2024-25694 4.8 - Medium - October 04, 2024

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the Layer Showcase application configuration which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.

XSS

Reflected XSS in Esri Portal for ArcGIS v11.1/v11.2 via crafted link
CVE-2024-8149 4.6 - Medium - October 04, 2024

There is a reflected CrossSite Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.1 and 11.2 that may allow a remote, authenticated attacker with lowprivileged access to create a crafted link which, when clicked, could potentially execute arbitrary JavaScript code in the victims browser. Exploitation is limited to the same browser execution context and does not result in a change of security scope beyond the affected user session.

XSS

Esri Portal for ArcGIS 11.2 and before: Unvalidated Redirect Vulnerability
CVE-2024-8148 6.1 - Medium - October 04, 2024

There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.

Open Redirect

Portal for ArcGIS <=11.0 XSS via crafted image link in page editor
CVE-2024-25696 4.8 - Medium - April 04, 2024

There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when accessing the page editor an image will render in the victims browser. The privileges required to execute this attack are high.

XSS

Portal for ArcGIS XSS: v<=11.1, attacks via bio page
CVE-2024-25697 5.4 - Medium - April 04, 2024

There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which when opening an authenticated users bio page will render an image in the victims browser.  The privileges required to execute this attack are low.

HTML Injection in Esri Portal for ArcGIS v<=11.0 Enables Phishing
CVE-2024-25706 6.1 - Medium - April 04, 2024

There is an HTML injection vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a message that may entice an unsuspecting victim to visit an arbitrary website. This could simplify phishing attacks.

XSS

Portal for ArcGIS <11.2 XSS via Unsanitized Error Message Input
CVE-2024-25695 7.2 - High - April 04, 2024

There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.2 and below that may allow a remote, authenticated attacker to provide input that is not sanitized properly and is rendered in error messages. The are no privileges required to execute this attack.

XSS

PT in Esri Portal for ArcGIS <=11.2
CVE-2024-25693 9.9 - Critical - April 04, 2024

There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. Successful exploitation may allow a remote, authenticated attacker to traverse the file system to access files or execute code outside of the intended directory. 

Directory traversal

Esri Portal for ArcGIS 11.1 CSRF Vulnerability
CVE-2024-25692 5.4 - Medium - April 04, 2024

There is a cross-site-request forgery vulnerability in Esri Portal for ArcGIS Versions 11.1 and below that may in some cases allow a remote, unauthenticated attacker to trick an authorized user into executing unwanted actions via a crafted form. The impact to Confidentiality and Integrity vectors is limited and of low severity.

Session Riding

Esri Portal for ArcGIS 11.1: Remote HTML Injection via crafted link
CVE-2024-25690 4.7 - Medium - April 04, 2024

There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.1 and below that may allow a remote, unauthenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victims browser.

XSS

Stored XSS in Esri Portal for ArcGIS <=11.2 via item location edit
CVE-2024-25709 6.1 - Medium - April 04, 2024

There is a stored CrossSite Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.2 and below that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item, which could potentially execute arbitrary JavaScript code in a victims browser. Exploitation does not require any privileges and can be performed by an anonymous user.

XSS

Esri Portal for ArcGIS Experience Builder XSS ( 11.1) on Windows/Linux
CVE-2024-25705 5.4 - Medium - April 04, 2024

There is a crosssite scripting (XSS) vulnerability in Esri Portal for ArcGIS Experience Builder versions 11.1 and below on Windows and Linux that allows a remote, authenticated attacker with lowprivileged access to create a crafted link which, when clicked, could potentially execute arbitrary JavaScript code in the victims browser. Exploitation requires basic authenticated access but does not require elevated or administrative privileges, indicating low privileges are required.

XSS

Esri Portal for ArcGIS 11.1 and Below Reflected XSS in Home App
CVE-2024-25698 6.1 - Medium - April 04, 2024

There is a reflected cross site scripting vulnerability in the home application in Esri Portal for ArcGIS 11.1 and below on Windows and Linux that allows a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser.

XSS

Improper Auth Esri Portal ArcGIS <=11.2 Home App RUA Vulnerability
CVE-2024-25699 8.5 - High - April 04, 2024

There is a difficulttoexploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 11.2 and below on Windows and Linux, and ArcGIS Enterprise versions 11.1 and below on Kubernetes, which under unique circumstances could allow a remote, authenticated attacker with lowprivileged access to compromise the confidentiality, integrity, and availability of the software. Successful exploitation allows the attacker to cross an authentication and authorization boundary beyond their originally assigned access, resulting in a scope change.

authentification

Esri ArcGIS Enterprise Sites XSS (v<10.9) via Authenticated Crafted Link
CVE-2023-25837 8.4 - High - July 21, 2023

There is a CrossSite Scripting (XSS) vulnerability in Esri ArcGIS Enterprise Sites versions 10.9 and below that may allow a remote, authenticated attacker to create a crafted link which, when clicked by a victim, could result in the execution of arbitrary JavaScript code in the targets browser. Exploitation requires highprivileged authenticated access. Successful exploitation may allow the attacker to access sensitive session data, manipulate trusted content, and disrupt normal application functionality, resulting in a high impact to confidentiality, integrity, and availability.

XSS

Esri Portal for ArcGIS Sites <10.9: XSS via crafted link
CVE-2023-25836 5.4 - Medium - July 21, 2023

There is a Cross-site Scripting vulnerability in Esri Portal for ArcGIS Sites in versions 10.9 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser.  The privileges required to execute this attack are low.

XSS

XSS in Esri Portal for ArcGIS Sites <=11.1 (site config)
CVE-2023-25835 8.4 - High - July 21, 2023

There is a stored CrossSite Scripting (XSS) vulnerability in Esri Portal for ArcGIS Sites versions 11.1 and below that may allow a remote, authenticated attacker with highprivileged access to create a crafted link that is persisted within the site configuration. When accessed by a victim, the stored payload may execute arbitrary JavaScript code in the victims browser. Successful exploitation could allow the attacker to access sensitive user data and session information, alter trusted site content and user actions, and disrupt normal site functionality, resulting in a high impact to confidentiality, integrity, and availability.

XSS

HTML Injection in Esri Portal for ArcGIS <=11 via crafted link
CVE-2023-25833 5.4 - Medium - May 10, 2023

There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victims browser (no stateful change made or customer data rendered).

Basic XSS

Reflected XSS in Esri Portal for ArcGIS <=10.9.1
CVE-2023-25831 6.1 - Medium - May 09, 2023

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser.

XSS

CSRF in Esri Portal for ArcGIS <11.0: Authorized User Actions Exploited
CVE-2023-25832 8.8 - High - May 09, 2023

There is a cross-site-request forgery vulnerability in Esri Portal for ArcGIS Versions 11.0 and below that may allow an attacker to trick an authorized user into executing unwanted actions.

Session Riding

Esri Portal for ArcGIS <=11.0 Unvalidated Redirect Vulnerability
CVE-2023-25829 6.1 - Medium - May 09, 2023

There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.

Open Redirect

Reflected XSS in Esri Portal for ArcGIS v10.9.1 and prior
CVE-2023-25830 6.1 - Medium - May 09, 2023

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1and before which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser.

XSS

Privilege Escalation in Esri ArcGIS Portal <=10.9.1 (CVE-2023-25834)
CVE-2023-25834 5.4 - Medium - May 09, 2023

Changes to user permissions in Portal for ArcGIS 10.9.1 and below are incompletely applied in specific use cases. This issue may allow users to access content that they are no longer privileged to access.

Improper Privilege Management

Reflected XSS in Esri Portal for ArcGIS 10.8.1/10.7.1
CVE-2022-38207 6.1 - Medium - December 29, 2022

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote remote, unauthenticated attacker to create a crafted link which when clicked which could execute arbitrary JavaScript code in the victims browser.

XSS

Reflected XSS in Esri Portal for ArcGIS v10.9.1 and prior
CVE-2022-38209 6.1 - Medium - December 29, 2022

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victims browser.

XSS

Unvalidated Redirect in Esri Portal for ArcGIS 11.x
CVE-2022-38208 6.1 - Medium - December 29, 2022

There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.

Open Redirect

Esri Portal for ArcGIS 10.9.1 Reflected XSS via Crafted Link
CVE-2022-38206 6.1 - Medium - December 29, 2022

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victims browser.

XSS

Directory Traversal in Esri Portal for ArcGIS <=10.9.1
CVE-2022-38205 7.5 - High - December 29, 2022

In some non-default installations of Esri Portal for ArcGIS versions 10.9.1 and below, a directory traversal issue may allow a remote, unauthenticated attacker to traverse the file system and lead to the disclosure of sensitive data (not customer-published content).

Directory traversal

Esri Portal for ArcGIS SSRF Flaw Pre-10.8.1 Unauthenticated Remote Attack
CVE-2022-38212 7.5 - High - December 29, 2022

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38203.

SSRF

ArcGIS Portal SSRF Vulnerability ESRI Portal for ArcGIS 10.9.1
CVE-2022-38211 7.5 - High - December 29, 2022

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.9.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212.

SSRF