CVE-2025-55107

There is a stored
  Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites
  versions 10.9.1  11.4 that may allow a remote, authenticated attacker to
  inject malicious a file with an embedded xss script which when loaded could
  potentially execute arbitrary JavaScript code in the victims browser. The
  privileges required to execute this attack are high. The attack could
  disclose a privileged token which may result in the attacker gaining full
  control of the Portal.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
EsriCNA
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
Common Weakness Enumeration
References
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/2925891-2