CVE-2025-55105 – A stored cross-site scripting vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2025-55105?

CVE-2025-55105 has a CVSS score of 4.8 (MEDIUM). A stored cross-site scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites allows authenticated attackers with high privileges to inject malicious files containing JavaScript. When victims load these files, arbitrary code executes in their browsers, potentially disclosing privileged tokens. This affects versions 10.9.1 through 11.4 of the software.

📋 TL;DR

A stored cross-site scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites allows authenticated attackers with high privileges to inject malicious files containing JavaScript. When victims load these files, arbitrary code executes in their browsers, potentially disclosing privileged tokens. This affects versions 10.9.1 through 11.4 of the software.

💻 Affected Systems

Products:

Esri Portal for ArcGIS Enterprise Sites

Versions: 10.9.1 – 11.4

Operating Systems: Not specified, likely cross-platform

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated attacker with high privileges; vulnerability exists in file upload/processing functionality.

📦 What is this software?

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full control of the Portal by stealing privileged tokens, leading to complete system compromise and data exfiltration.

🟠

Likely Case

Attacker steals session tokens or credentials from authenticated users, enabling privilege escalation and unauthorized access.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized, preventing code execution.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authentication with high privileges and victim interaction to load malicious file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Esri advisory for specific patched versions (likely 11.4+ or later updates)

Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/2925891-2

Restart Required: No

Instructions:

1. Review Esri advisory for patched versions. 2. Apply the latest security update from Esri. 3. Verify installation and test functionality.

🔧 Temporary Workarounds

Restrict file upload permissions

all

Limit file upload capabilities to trusted users only and implement strict file type validation.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in file uploads.
Enforce strict content security policies (CSP) to mitigate script execution.

🔍 How to Verify

Check if Vulnerable:

Check Portal version against affected range (10.9.1-11.4) via admin interface or system logs.

Check Version:

Check Esri Portal admin dashboard or consult system documentation for version info.

Verify Fix Applied:

Confirm version is updated beyond 11.4 or to patched release as per Esri advisory; test file upload functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads with script-like content
Multiple failed authentication attempts from single source

Network Indicators:

HTTP requests with malicious script patterns in file uploads

SIEM Query:

source="portal_logs" AND (event="file_upload" AND (content CONTAINS "<script>" OR content CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2025-55105

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (7.2th percentile)

Published: August 21, 2025

Last Updated: September 5, 2025

🔗 References

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/2925891-2 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55105, you might also want to check these: