GCVE - cpe:2.3:a:esri:portal_for_arcgis:11.1:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:esri:portal_for_arcgis:11.1:*:*:*:*:*:*:*

part: a version: 11.1 update: *

Vendor	Esri (`7fc7b1c4-e95b-5bc9-bfb4-4695cd2e3e82`)
Product	Portal For Arcgis (`4a9585b9-e85b-56ed-a5e6-c7c2789574cc`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-55103`	vulnerable	2026-06-03 15:04:57.659350	BUG-000177333 - ArcGIS Enterprise Sites has a stored Cross-site Scripting vulnerability. MEDIUM (4.8) There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. Published: 2025-08-21T19:25:13.460Z Updated: 2025-09-09T16:54:02.458Z Open on db.gcve.eu Reference links https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/2925891-2	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-8149`	vulnerable	2026-06-03 14:58:17.232770	BUG-000168624 - Unvalidated redirect in Portal for ArcGIS. MEDIUM (4.6) There is a reflected Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.1 and 11.2 that may allow a remote, authenticated attacker with low‑privileged access to create a crafted link which, when clicked, could potentially execute arbitrary JavaScript code in the victim’s browser. Exploitation is limited to the same browser execution context and does not result in a change of security scope beyond the affected user session. Published: 2024-10-04T17:14:39.010Z Updated: 2026-02-06T06:15:10.027Z Open on db.gcve.eu Reference links https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-8148`	vulnerable	2026-06-03 14:58:17.230402	BUG-000168624 - Unvalidated redirect in Portal for ArcGIS. (11.2, 11.1, 10.9.1. and 10.8.1) MEDIUM (6.1) There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks. Published: 2024-10-04T17:11:43.279Z Updated: 2025-04-10T19:11:58.566Z Open on db.gcve.eu Reference links https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-38040`	vulnerable	2026-06-03 14:56:07.902073	BUG-000167984 - Portal for ArcGIS has a Local file inclusion (LFI) vulnerability HIGH (7.5) There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files. Published: 2024-10-04T18:04:01.657Z Updated: 2025-04-10T18:52:18.843Z Open on db.gcve.eu Reference links https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-25709`	vulnerable	2026-06-03 14:55:14.007522	Self-XSS style in move item dialog MEDIUM (6.1) There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.2 and below that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item, which could potentially execute arbitrary JavaScript code in a victim’s browser. Exploitation does not require any privileges and can be performed by an anonymous user. Published: 2024-04-04T17:55:17.893Z Updated: 2026-02-06T06:10:48.587Z Open on db.gcve.eu Reference links https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-25691`	vulnerable	2026-06-03 14:55:13.982434	BUG-000165286 - Reflected XSS in Portal for ArcGIS MEDIUM (6.1) There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. Published: 2024-10-04T17:18:52.963Z Updated: 2025-04-10T19:18:32.234Z Open on db.gcve.eu Reference links https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.