CVE-2024-25694
📋 TL;DR
A stored XSS vulnerability in Esri Portal for ArcGIS Enterprise allows authenticated attackers with high privileges to inject malicious JavaScript into the Layer Showcase application. When victims click crafted links, attackers can steal privileged tokens and potentially gain full portal control. This affects versions 11.1 and below.
💻 Affected Systems
- Esri Portal for ArcGIS Enterprise
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full administrative control of the Portal by stealing privileged tokens, leading to complete system compromise and data exfiltration.
Likely Case
Attacker steals session tokens or credentials from authenticated users, enabling privilege escalation and unauthorized access to sensitive portal data.
If Mitigated
With proper access controls and input validation, impact is limited to isolated session hijacking without full portal compromise.
🎯 Exploit Status
Exploitation requires authenticated access with high privileges; attack involves creating malicious links in Layer Showcase configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Security 2024 Update 2 or later
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/
Restart Required: Yes
Instructions:
1. Download Security 2024 Update 2 from Esri's official site. 2. Backup portal configuration and data. 3. Apply the update following Esri's installation guide. 4. Restart portal services. 5. Verify update completion through portal admin interface.
🔧 Temporary Workarounds
Disable Layer Showcase Application
allTemporarily disable the vulnerable Layer Showcase application to prevent exploitation.
Navigate to Portal Admin > Apps > Disable Layer Showcase
Restrict High Privilege Access
allTighten access controls to limit users who can modify Layer Showcase configuration.
Review and modify role permissions in Portal Admin > Security
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user inputs in web applications.
- Deploy WAF rules to detect and block XSS payloads targeting the Layer Showcase endpoint.
🔍 How to Verify
Check if Vulnerable:
Check portal version in Admin > Settings > General; if version is 11.1 or below, system is vulnerable.Check Version:
Check via portal admin interface or query portal REST API endpoint: /portaladmin/system/propertiesVerify Fix Applied:
After applying Security 2024 Update 2, verify version shows as patched and test Layer Showcase for XSS payload execution.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to Layer Showcase configuration
- Suspicious JavaScript payloads in application logs
- Multiple failed authentication attempts from single source
Network Indicators:
- HTTP requests containing malicious script tags to Layer Showcase endpoints
- Unexpected outbound connections after clicking portal links
SIEM Query:
source="portal_logs" AND ("Layer Showcase" OR "showcase") AND ("script" OR "javascript" OR "onclick")