CVE-2025-55107
📋 TL;DR
A stored cross-site scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites allows authenticated attackers with high privileges to inject malicious files containing JavaScript. When victims load these files, arbitrary code executes in their browsers, potentially stealing privileged tokens. This affects versions 10.9.1 through 11.4 of the software.
💻 Affected Systems
- Esri Portal for ArcGIS Enterprise Sites
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full control of the Portal by stealing privileged tokens, leading to complete system compromise and data exfiltration.
Likely Case
Attacker steals session tokens or credentials from authenticated users, enabling unauthorized access to sensitive portal data and functions.
If Mitigated
With proper access controls and input validation, impact is limited to isolated user sessions without system-wide compromise.
🎯 Exploit Status
Exploitation requires authenticated access with elevated privileges and knowledge of file upload mechanisms.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.4 or later (check Esri advisory for specific patch versions)
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/2925891-2
Restart Required: No
Instructions:
1. Review Esri advisory for specific patch details. 2. Apply the latest security update for your version. 3. Verify patch installation through version check. 4. Test functionality after patching.
🔧 Temporary Workarounds
Restrict File Upload Permissions
allLimit file upload capabilities to only trusted administrators and implement strict file type validation.
Implement Content Security Policy
allDeploy CSP headers to restrict script execution from untrusted sources.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all file uploads
- Monitor and audit file upload activities from privileged users
🔍 How to Verify
Check if Vulnerable:
Check Portal version against affected range (10.9.1-11.4) and review file upload functionality for script execution.Check Version:
Check Portal version through ArcGIS Enterprise Administrator Directory or web interfaceVerify Fix Applied:
Verify Portal version is updated beyond 11.4 or has specific security patches applied per Esri advisory.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads by privileged users
- JavaScript execution in file contexts
- Unexpected token or session activity
Network Indicators:
- Suspicious file uploads to portal endpoints
- Unexpected script loading from uploaded files
SIEM Query:
source="portal_logs" AND (event="file_upload" AND user_privilege="high")