CVE-2025-57876

There is a stored Cross-site Scripting vulnerability in  Esri Portal for ArcGIS  11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
EsriCNA
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
VendorProductVersion
esriportal_for_arcgis
10.9.1
esriportal_for_arcgis
10.9.1:security_2025_update1
esriportal_for_arcgis
10.9.1:security_2025_update2
esriportal_for_arcgis
11.0
esriportal_for_arcgis
11.1
esriportal_for_arcgis
11.1:security_2024_update1
esriportal_for_arcgis
11.1:security_2024_update2
esriportal_for_arcgis
11.1:security_2025_update1
esriportal_for_arcgis
11.1:security_2025_update2
esriportal_for_arcgis
11.2
esriportal_for_arcgis
11.2:security_2024_update1
esriportal_for_arcgis
11.2:security_2024_update2
esriportal_for_arcgis
11.2:security_2025_update1
esriportal_for_arcgis
11.2:security_2025_update2
esriportal_for_arcgis
11.3
esriportal_for_arcgis
11.3:security_2025_update1
esriportal_for_arcgis
11.3:security_2025_update2
esriportal_for_arcgis
11.4
esriportal_for_arcgis
11.4:security_2025_update1
esriportal_for_arcgis
11.4:security_2025_update2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch