CVE-2025-55106 – A stored cross-site scripting vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2025-55106?

CVE-2025-55106 has a CVSS score of 4.8 (MEDIUM). A stored cross-site scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites allows authenticated attackers with high privileges to inject malicious files containing JavaScript. When victims load these files, arbitrary code executes in their browsers, potentially disclosing privileged tokens that could lead to full portal compromise. Affected versions range from 10.9.1 through 11.4.

📋 TL;DR

A stored cross-site scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites allows authenticated attackers with high privileges to inject malicious files containing JavaScript. When victims load these files, arbitrary code executes in their browsers, potentially disclosing privileged tokens that could lead to full portal compromise. Affected versions range from 10.9.1 through 11.4.

💻 Affected Systems

Products:

Esri Portal for ArcGIS Enterprise Sites

Versions: 10.9.1 – 11.4

Operating Systems: Not OS-specific

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with high privileges; default configurations are vulnerable if using affected versions.

📦 What is this software?

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full administrative control of the Portal by stealing privileged tokens, leading to complete system compromise and data exfiltration.

🟠

Likely Case

Privileged user accounts are hijacked, allowing attackers to modify configurations, access sensitive data, and maintain persistence.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to isolated privilege escalation within authenticated sessions.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access with high privileges and ability to upload malicious files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Esri advisory for specific patched versions

Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/2925891-2

Restart Required: No

Instructions:

1. Review Esri advisory for patched versions. 2. Apply the appropriate security patch for your version. 3. Verify the patch is applied successfully.

🔧 Temporary Workarounds

Restrict File Uploads

all

Limit file upload capabilities to trusted users and implement content validation for uploaded files.

🧯 If You Can't Patch

Implement strict access controls to limit high-privilege accounts and monitor their activities.
Deploy web application firewall rules to detect and block XSS payloads in file uploads.

🔍 How to Verify

Check if Vulnerable:

Check Portal version in ArcGIS Enterprise Manager or via administrative interface; compare against affected range 10.9.1-11.4.

Check Version:

Check via ArcGIS Enterprise administrative tools or consult system documentation for version query.

Verify Fix Applied:

Verify version is updated to a patched release as specified in Esri advisory and test file upload functionality for XSS.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads by authenticated users, especially with script-like content or extensions.
Suspicious authentication events followed by file manipulation activities.

Network Indicators:

HTTP requests uploading files with embedded JavaScript or unusual MIME types.
Outbound connections triggered by file loads that may indicate token exfiltration.

SIEM Query:

source="portal_logs" AND (event="file_upload" AND (file_name="*.js" OR content="<script>"))

📊 Metadata

CVE ID: CVE-2025-55106

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (7.2th percentile)

Published: August 21, 2025

Last Updated: September 5, 2025

🔗 References

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/2925891-2 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55106, you might also want to check these: