CVE-2024-25705
📋 TL;DR
A cross-site scripting (XSS) vulnerability in Esri Portal for ArcGIS Experience Builder allows authenticated low-privileged users to create malicious links that execute arbitrary JavaScript in victims' browsers. This affects versions 11.1 and below on Windows and Linux systems. Attackers can potentially steal session cookies, redirect users, or perform actions on their behalf.
💻 Affected Systems
- Esri Portal for ArcGIS Experience Builder
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full system control, install backdoors, exfiltrate sensitive geospatial data, or pivot to internal networks.
Likely Case
Low-privileged authenticated users could steal other users' session tokens, perform account takeovers, or manipulate portal content.
If Mitigated
With proper input validation and output encoding, the vulnerability would be prevented, though authenticated users could still attempt exploitation.
🎯 Exploit Status
Exploitation requires authenticated access but only basic privileges; attacker must trick victim into clicking crafted link.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Security 2024 Update 2 patch
Restart Required: Yes
Instructions:
1. Download Security 2024 Update 2 patch from Esri. 2. Backup portal configuration and data. 3. Apply patch following Esri's installation guide. 4. Restart portal services. 5. Verify patch application and functionality.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation and output encoding for user-supplied link parameters
Custom implementation required - no standard commands
Content Security Policy
allImplement strict CSP headers to limit script execution sources
Add 'Content-Security-Policy' header with script-src restrictions
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in URLs
- Restrict user permissions and implement principle of least privilege for all authenticated users
🔍 How to Verify
Check if Vulnerable:
Check portal version via admin interface or configuration files; if version is 11.1 or below, system is vulnerable.Check Version:
Check portal version in admin dashboard or configuration files (location varies by installation)Verify Fix Applied:
Verify patch installation through portal version check and test XSS payloads are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual URL parameters with script tags or JavaScript code
- Multiple failed XSS attempts in web logs
- Suspicious link generation by low-privileged users
Network Indicators:
- HTTP requests containing script tags in URL parameters
- Unusual redirect patterns
SIEM Query:
source="web_logs" AND (url="*<script>*" OR url="*javascript:*" OR url="*onerror=*" OR url="*onload=*")