CVE-2025-55104
📋 TL;DR
A stored cross-site scripting vulnerability in ArcGIS HUB and ArcGIS Enterprise Sites allows authenticated users with site creation/editing permissions to inject malicious JavaScript that executes in other users' browsers when they view the compromised content. This affects organizations using these ArcGIS products with users who have site management privileges.
💻 Affected Systems
- ArcGIS HUB
- ArcGIS Enterprise Sites
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts and data.
Likely Case
Attackers with legitimate site editing access could embed malicious scripts to steal session tokens or perform limited actions as other users viewing the compromised content.
If Mitigated
With proper input validation and output encoding, the vulnerability would be prevented, and with least privilege access controls, the attack surface would be minimized.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions; stored XSS payloads persist until removed
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/2925891-2
Restart Required: No
Instructions:
1. Review the Esri security advisory. 2. Apply the recommended patches or updates for ArcGIS HUB and ArcGIS Enterprise Sites. 3. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Site Editing Permissions
allLimit site creation and editing capabilities to only trusted, necessary users following least privilege principles
Implement Content Security Policy
allDeploy CSP headers to restrict script execution sources and reduce XSS impact
🧯 If You Can't Patch
- Review and audit all site content for suspicious scripts or HTML
- Implement web application firewall rules to detect and block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check if your ArcGIS HUB/Enterprise Sites version matches affected versions in the Esri advisoryCheck Version:
Check ArcGIS product version through administrative interfaces or configuration filesVerify Fix Applied:
Verify installation of patched versions and test that XSS payloads are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual site editing activity
- Suspicious HTML/JavaScript in content updates
Network Indicators:
- Unexpected external script loads from site content
SIEM Query:
Search for patterns of script injection in web application logs or content modification events