CVE-2025-55103 - Stored Cross-Site Scripting in ArcGIS Enterprise Sites

1. Vulnerability Properties

Title: Stored Cross-Site Scripting in ArcGIS Enterprise Sites
CVE ID: CVE-2025-55103
CVSSv4 Base Score: 4.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)
Vendor: Esri
Product: Portal for ArcGIS Enterprise Sites
Advisory Release Date: 22-09-2025
Advisory URL: https://labs.integrity.pt/advisories/cve-2025-55103
Credits: Discovery by Lucas Machado <lucas.machado[at]devoteam.com>

2. Vulnerability Summary

A stored Cross-site Scripting (XSS) vulnerability exists in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4. A remote, authenticated attacker with high privileges could inject malicious code that executes arbitrary JavaScript in a victim’s browser.

3. Vulnerable Versions

  • Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4;

4. Solution

  • Upgrade to Portal for ArcGIS Enterprise Sites 11.5.

5. Vulnerability Timeline

  • 29/Jan/2025 - Bug reported to vendor;
  • 17/Apr/2025 - Bug validated by vendor;
  • 22/Sep/2025 - Advisory released;

6. References

Latest Advisories

Latest Articles

© 2025 INTEGRITY S.A. All rights reserved. | Cookie Policy

Cookie Consent X

Integrity S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.