Login Sign Up

CVE-2024-38038

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

A reflected cross-site scripting (XSS) vulnerability in Esri Portal for ArcGIS 11.1 allows attackers to craft malicious links that execute arbitrary JavaScript in victims' browsers when clicked. This affects organizations using vulnerable versions of the portal software, potentially compromising user sessions and data.

💻 Affected Systems

Products:
  • Esri Portal for ArcGIS
Versions: Version 11.1
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Portal for ArcGIS installations at version 11.1; other versions are not impacted.

📦 What is this software?

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deploy additional malware payloads.

🟠

Likely Case

Session hijacking, credential theft, or defacement of portal pages through injected content.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though some user interaction risk remains.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Reflected XSS typically requires user interaction (clicking a malicious link) but is straightforward to exploit once the vulnerable parameter is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Security 2024 Update 2 or later

Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/

Restart Required: Yes

Instructions:

1. Download Security 2024 Update 2 from My Esri. 2. Apply the update following Esri's patch deployment procedures. 3. Restart the Portal for ArcGIS service.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Deploy WAF rules to block XSS payloads in URL parameters.

Input Validation Filter

all

Implement custom input validation to sanitize user-supplied parameters.

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to limit script execution.
  • Educate users about phishing risks and safe browsing practices.

🔍 How to Verify

Check if Vulnerable:

Check Portal for ArcGIS version in administration console; if version is 11.1 without Security 2024 Update 2, it is vulnerable.

Check Version:

Check via Portal Administrator Directory at https://<portal-url>/portaladmin/system/properties/version

Verify Fix Applied:

Confirm version shows Security 2024 Update 2 applied and test with XSS payloads to ensure they are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual URL parameters containing script tags or JavaScript code in access logs
  • Multiple failed login attempts from unexpected sources

Network Indicators:

  • HTTP requests with suspicious parameters containing <script> tags or JavaScript functions

SIEM Query:

source="portal_access_logs" AND (url="*<script>*" OR url="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-38038
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: October 4, 2024
Last Updated: April 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38038, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)