Login Sign Up

CVE-2025-57876

4.8 MEDIUM
Cross-Site Scripting

📋 TL;DR

A stored cross-site scripting vulnerability in Esri Portal for ArcGIS 11.4 and earlier allows authenticated attackers with high privileges to inject malicious files containing JavaScript. When victims load these files, arbitrary code executes in their browsers, potentially disclosing privileged tokens. This affects organizations using vulnerable versions of Esri Portal for ArcGIS.

💻 Affected Systems

Products:
  • Esri Portal for ArcGIS
Versions: 11.4 and below
Operating Systems: All supported OS for Esri Portal
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated attacker with high privileges; vulnerability exists in file upload functionality.

📦 What is this software?

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

Portal For Arcgis by Esri

View all CVEs affecting Portal For Arcgis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full administrative control of the Portal by stealing privileged tokens, leading to complete system compromise and data exfiltration.

🟠

Likely Case

Attacker steals session tokens or credentials from authenticated users, enabling privilege escalation and unauthorized access to sensitive portal data.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized, preventing code execution and token theft.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authentication with high privileges and victim interaction to load malicious file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Security 2025 Update 3 Patch

Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-3-patch

Restart Required: No

Instructions:

1. Download Security 2025 Update 3 patch from Esri. 2. Apply patch to all affected Portal instances. 3. Verify patch installation via version check.

🔧 Temporary Workarounds

Restrict File Uploads

all

Temporarily disable or restrict file upload functionality for non-administrative users.

Implement Content Security Policy

all

Deploy CSP headers to restrict script execution from untrusted sources.

🧯 If You Can't Patch

  • Implement strict input validation and output encoding for file uploads.
  • Monitor and audit file upload activities for suspicious patterns.

🔍 How to Verify

Check if Vulnerable:

Check Portal version via administrative interface; if version is 11.4 or earlier, system is vulnerable.

Check Version:

Check via Portal administrative console or Esri diagnostic tools.

Verify Fix Applied:

Confirm Portal version is updated post-patch; test file upload functionality with XSS payloads to ensure neutralization.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads with script-like content
  • Multiple failed upload attempts from single user

Network Indicators:

  • HTTP requests with malicious script patterns in file uploads

SIEM Query:

source="portal_logs" AND (file_upload AND (javascript OR script))

📊 Metadata

CVE ID: CVE-2025-57876
CVSS v3 Score: 4.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.06% exploit probability (19th percentile)
Published: September 29, 2025
Last Updated: October 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57876, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)