Esri: >> Portal For Arcgis >> 10.7.1 Security Vulnerabilities
Esri Portal for ArcGIS 11.4 and prior allows a remote, unauthenticated attacker to bypass the Portal’s SSRF protections.
CVSS Score
9.1
EPSS Score
0.0
Published
2025-05-29
A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-03-20
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-10-04
There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser (no stateful change made or customer data rendered).
CVSS Score
5.4
EPSS Score
0.001
Published
2024-10-04
There is a reflected cross site scripting in Esri Portal for ArcGIS 11.1 and below on Windows and Linux x64 allows a remote authenticated attacker with administrative access to supply a crafted string which could potentially execute arbitrary JavaScript code in the their own browser (Self XSS). A user cannot be phished into clicking a link to execute code.
CVSS Score
4.8
EPSS Score
0.001
Published
2024-10-04
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
CVSS Score
5.4
EPSS Score
0.014
Published
2024-10-04
There is a cross site scripting vulnerability in the Esri Portal for ArcGIS Experience Builder 11.1 and below on Windows and Linux that allows a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are low.
CVSS Score
5.4
EPSS Score
0.003
Published
2024-04-04
There is an HTML injection vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a message that may entice an unsuspecting victim to visit an arbitrary website. This could simplify phishing attacks.
CVSS Score
6.1
EPSS Score
0.008
Published
2024-04-04
There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which when opening an authenticated users bio page will render an image in the victims browser. The privileges required to execute this attack are low.
CVSS Score
5.4
EPSS Score
0.003
Published
2024-04-04
There is a reflected cross site scripting vulnerability in the home application in Esri Portal for ArcGIS 11.1 and below on Windows and Linux that allows a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
CVSS Score
6.1
EPSS Score
0.004
Published
2024-04-04
Page 1