CVE-2024-25709
📋 TL;DR
A stored XSS vulnerability in Esri Portal for ArcGIS allows remote authenticated attackers to inject malicious JavaScript via crafted links when moving items. This could execute arbitrary code in victims' browsers, potentially compromising user sessions or stealing credentials. All users of Portal for ArcGIS versions 11.2 and below are affected, including anonymous users.
💻 Affected Systems
- Esri Portal for ArcGIS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface the portal, or redirect users to malicious sites, leading to full portal compromise.
Likely Case
Attackers would typically steal user session cookies or credentials to gain unauthorized access to the portal and its data.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized, preventing code execution.
🎯 Exploit Status
Exploitation requires creating a crafted link and tricking a user into moving an item with that link, but no authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Security 2024 Update 1 or upgrade to version 11.3 or later
Vendor Advisory: https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/
Restart Required: Yes
Instructions:
1. Download Security 2024 Update 1 from Esri's My Esri portal. 2. Apply the update following Esri's patch deployment procedures. 3. Restart the Portal for ArcGIS service. 4. Verify the fix by testing the vulnerability.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side input validation to reject malicious script tags in link parameters.
Content Security Policy (CSP)
allDeploy a strict CSP to block inline scripts and restrict script sources, reducing XSS impact.
🧯 If You Can't Patch
- Restrict anonymous access to the portal if possible to reduce attack surface.
- Monitor and audit user activities for suspicious link creation or item movements.
🔍 How to Verify
Check if Vulnerable:
Test by creating a crafted link with JavaScript payload and attempting to save it when moving an item. If the script executes in a victim's browser, the system is vulnerable.Check Version:
Check the Portal for ArcGIS version in the administrative interface or via the REST API endpoint /arcgis/rest/info.Verify Fix Applied:
After patching, repeat the vulnerability test; the script should be sanitized and not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual item movement logs with long or encoded parameters
- Multiple failed login attempts following item modifications
Network Indicators:
- HTTP requests with suspicious script tags in query parameters
- Unexpected outbound connections from user browsers
SIEM Query:
source="portal_logs" AND (event="item_move" AND url CONTAINS "script" OR "javascript")