CVE-2024-8149
📋 TL;DR
A reflected Cross-Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS allows authenticated low-privileged attackers to craft malicious links that execute arbitrary JavaScript in victims' browsers when clicked. This affects users of Portal for ArcGIS versions 11.1 and 11.2. Exploitation is limited to the victim's browser session and doesn't escalate privileges beyond that session.
💻 Affected Systems
- Esri Portal for ArcGIS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals authenticated session cookies/tokens, performs actions as the victim (data theft, configuration changes), or delivers malware via the victim's browser.
Likely Case
Session hijacking leading to unauthorized access to portal data and functionality available to the victim's role.
If Mitigated
Limited impact due to same-origin policy restrictions and inability to escalate beyond victim's existing permissions.
🎯 Exploit Status
Exploitation requires the attacker to trick an authenticated victim into clicking a malicious link. No privilege escalation beyond victim's existing permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Security 2024 Update 2 (specific patch version depends on base version)
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/
Restart Required: Yes
Instructions:
1. Download Security 2024 Update 2 from My Esri. 2. Stop Portal for ArcGIS service. 3. Apply the update following Esri's patch installation guide. 4. Restart Portal for ArcGIS service. 5. Verify successful update in portal administration.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation and output encoding for user-supplied parameters in custom portal applications.
N/A - Requires code changes
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution sources.
- Educate users about phishing risks and implement URL filtering to block malicious links.
🔍 How to Verify
Check if Vulnerable:
Check Portal for ArcGIS version in administration dashboard. If version is 11.1 or 11.2 without Security 2024 Update 2, system is vulnerable.Check Version:
Check via Portal Administrator Directory at https://portalhostname/portaladmin/system/properties/ or administration dashboard.Verify Fix Applied:
Confirm version shows Security 2024 Update 2 applied in administration dashboard and test XSS payloads no longer execute.📡 Detection & Monitoring
Log Indicators:
- Unusual long parameter values in HTTP requests
- Requests containing JavaScript patterns in URL parameters
- Multiple failed login attempts followed by suspicious link access
Network Indicators:
- HTTP requests with encoded JavaScript in query parameters
- Redirects to portal URLs with suspicious parameters
SIEM Query:
source="portal_logs" AND (url="*<script*" OR url="*javascript:*" OR parameter="*alert(*" OR parameter="*onerror=*" OR parameter="*onload=*")