U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

Vulnerability Change Records for CVE-2024-25704

Change History

CVE Modified by Environmental Systems Research Institute, Inc. 4/25/2024 3:15:49 PM

Action Type Old Value New Value
Removed CVSS V3.1 
Environmental Systems Research Institute, Inc. AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
 

								
								
					

					

						Removed
						CWE
						
							
							
								
							
								
Environmental Systems Research Institute, Inc. CWE-79

								
							
							
								
							
						
								
							
								

								
								
					

					

						Changed
						Description
						
							
							
								
							
								
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Experience Builder versions <= 11.1 that may allow a remote, authenticated attacker to create a crafted link that is stored in the Experience Builder Embed widget which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser.  The privileges required to execute this attack are high. 

								
							
							
								
							
						
								
							
								
Rejected reason: 
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because this item is scheduled to be patched at a future time.



								
								
					

					

						Removed
						Reference
						
							
							
								
							
								
Environmental Systems Research Institute, Inc. https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2/

								
							
							
								
							
						
								
							
								

								
								
					

				
			




		

	
		

			 
			

				CVE Rejected by Environmental Systems Research Institute, Inc. 4/25/2024 3:15:49 PM
			



			

				 
					

						Action
						Type
						Old Value
						New Value
					

				
				
					
				
			




		

	
		

			 
			

				CVE Translated by Environmental Systems Research Institute, Inc. 4/25/2024 3:15:49 PM
			



			

				 
					

						Action
						Type
						Old Value
						New Value
					

				
				
					

						Removed
						Translation
						
							
							
								
							
								
Title: Esri Portal for ArcGIS 
Description: Existe una vulnerabilidad de Cross-Site Scripting almacenada en Esri Portal for ArcGIS Enterprise Experience Builder versiones &lt;= 11.1 que puede permitir que un atacante remoto y autenticado cree un enlace manipulado que se almacena en el widget de inserción de Experience Builder que, cuando se carga, podría ejecutarse de forma arbitraria. Código JavaScript en el navegador de la víctima. Los privilegios necesarios para ejecutar este ataque son elevados.