CVE-2025-55107 - Stored Cross-Site Scripting in ArcGIS Enterprise Sites

1. Vulnerability Properties

Title: Stored Cross-Site Scripting in ArcGIS Enterprise Sites
CVE ID: CVE-2025-55107
CVSSv4 Base Score: 4.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)
Vendor: Esri
Product: Portal for ArcGIS Enterprise Sites
Advisory Release Date: 22-09-2025
Advisory URL: https://labs.integrity.pt/advisories/cve-2025-55107
Credits: Discovery by Cláudia Picoito <claudia.picoito[at]devoteam.com>

2. Vulnerability Summary

A stored Cross-site Scripting (XSS) vulnerability exists in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4. A remote, authenticated attacker with high privileges can inject a malicious file with an embedded xss script which when loaded can execute arbitrary JavaScript code in the victim’s browser.

3. Vulnerable Versions

  • Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4;

4. Solution

  • Upgrade to Portal for ArcGIS Enterprise Sites 11.5.

5. Vulnerability Timeline

  • 29/Jan/2025 - Bug reported to vendor
  • 13/May/2025 - Bug validated by vendor
  • 22/Sep/2025 - Advisory released

6. References

Latest Advisories

Latest Articles

© 2025 INTEGRITY S.A. All rights reserved. | Cookie Policy

Cookie Consent X

Integrity S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.