CVE-2024-25695 Overview
CVE-2024-25695 is a Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting Esri Portal for ArcGIS versions 11.2 and below. The flaw stems from improper sanitization of user input that is later rendered within error messages. A remote attacker can inject malicious script content that executes in the browser context of users viewing affected pages. While the advisory notes the attack requires authentication, the CVSS metrics indicate no privileges are required to deliver the payload, and successful exploitation impacts both confidentiality and integrity with a scope change.
Critical Impact
Attackers can execute arbitrary JavaScript in victim browsers, enabling session token theft, credential harvesting, and unauthorized actions within Portal for ArcGIS deployments.
Affected Products
- Esri Portal for ArcGIS version 11.2
- Esri Portal for ArcGIS versions below 11.2
- ArcGIS Enterprise deployments using vulnerable Portal components
Discovery Timeline
- 2024-04-04 - CVE-2024-25695 published to NVD
- 2025-04-10 - Last updated in NVD database
Technical Details for CVE-2024-25695
Vulnerability Analysis
The vulnerability is a reflected Cross-Site Scripting flaw in Portal for ArcGIS, the web-based content management component of ArcGIS Enterprise. The application accepts attacker-controlled input and incorporates it into error message responses without applying proper output encoding or sanitization. When a victim's browser renders the error page, embedded script content executes within the trusted origin of the Portal application.
The scope change indicator in the CVSS vector signals that the executed script can affect resources beyond the vulnerable component. This commonly occurs in Single Sign-On (SSO) environments where Portal for ArcGIS integrates with federated identity providers or shares session state with other ArcGIS Enterprise services. Attackers can leverage the XSS to pivot toward administrative interfaces or connected GIS services.
Root Cause
The root cause is missing or insufficient output encoding when error messages echo user-supplied values back to the response. Input that should be treated as data is instead interpreted as executable markup by the browser. The component fails to apply contextual escaping for HTML, attribute, or JavaScript contexts where the input is rendered.
Attack Vector
An attacker crafts a URL or form submission containing a malicious payload designed to trigger an error condition in Portal for ArcGIS. The crafted input is delivered to a victim through phishing, malicious links, or embedded references on attacker-controlled pages. When the victim's authenticated browser session processes the response, the injected script executes with access to session cookies, local storage, and the Portal application Document Object Model (DOM). Attackers can use this to exfiltrate authentication tokens, perform actions on behalf of the victim, or stage further attacks against ArcGIS Enterprise resources.
No verified public exploit code is available for this vulnerability. Refer to the Esri ArcGIS Security Update Blog for vendor-provided technical context.
Detection Methods for CVE-2024-25695
Indicators of Compromise
- HTTP requests to Portal for ArcGIS endpoints containing encoded <script>, javascript:, or event handler attributes such as onerror= and onload= in query parameters or form fields
- Web server access logs showing unusual error response codes (4xx) correlated with payloads containing HTML special characters in user-supplied parameters
- Outbound network connections from authenticated user sessions to unfamiliar external domains shortly after Portal page interactions
- Unexpected session token transmission to non-Portal origins observed in browser telemetry or web proxy logs
Detection Strategies
- Inspect Portal for ArcGIS access logs for parameter values containing HTML or script syntax that would normally be encoded by legitimate clients
- Deploy Web Application Firewall (WAF) rules that flag reflected XSS patterns in requests to ArcGIS endpoints
- Monitor browser-side telemetry for anomalous DOM modifications or script execution on Portal pages
- Correlate authentication events with subsequent administrative API calls to detect session abuse following potential XSS exploitation
Monitoring Recommendations
- Enable verbose logging on Portal for ArcGIS to capture full request parameters and response status for security review
- Forward Portal and reverse proxy logs to a centralized SIEM for correlation and retention
- Implement Content Security Policy (CSP) reporting endpoints to capture script execution violations in real time
- Track administrative actions performed through the Portal user interface to identify anomalous behavior after suspicious browsing activity
How to Mitigate CVE-2024-25695
Immediate Actions Required
- Upgrade Portal for ArcGIS to a version above 11.2 that includes the vendor fix documented in the Esri security advisory
- Apply the Portal for ArcGIS Security 2024 Update 2 patch released by Esri
- Review Portal user sessions and force re-authentication for accounts that may have been targeted
- Audit administrative accounts and recent configuration changes within ArcGIS Enterprise
Patch Information
Esri has released a security update addressing CVE-2024-25695. Administrators should consult the Esri ArcGIS Security Update Blog for the specific patch package, applicable version targets, and installation procedures for their ArcGIS Enterprise deployment.
Workarounds
- Restrict Portal for ArcGIS access to trusted networks using firewall rules or VPN-only access until patching is complete
- Deploy a WAF in front of Portal for ArcGIS with rules tuned to block reflected XSS payloads
- Implement a strict Content Security Policy header on the Portal application to limit inline script execution
- Educate Portal users to avoid clicking unsolicited links that reference Portal URLs with unusual query parameters
# Example WAF rule concept (ModSecurity) to block common XSS patterns in Portal requests
SecRule REQUEST_URI "@contains /portal/" \
"chain,id:1002495,phase:2,deny,status:403,log,msg:'Potential XSS targeting Portal for ArcGIS'"
SecRule ARGS "@rx (?i)(<script|javascript:|onerror=|onload=)" "t:urlDecodeUni,t:htmlEntityDecode"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
