CVE-2023-25835 – A stored XSS vulnerability in Esri Portal for A... (How to Fix)

Q: What is the severity of CVE-2023-25835?

CVE-2023-25835 has a CVSS score of 8.4 (HIGH). A stored XSS vulnerability in Esri Portal for ArcGIS Sites allows authenticated high-privilege attackers to inject malicious JavaScript into site configurations. When victims access compromised links, attackers can steal sensitive data, manipulate site content, and disrupt functionality. This affects versions 11.1 and below of Esri Portal for ArcGIS Sites.

📋 TL;DR

A stored XSS vulnerability in Esri Portal for ArcGIS Sites allows authenticated high-privilege attackers to inject malicious JavaScript into site configurations. When victims access compromised links, attackers can steal sensitive data, manipulate site content, and disrupt functionality. This affects versions 11.1 and below of Esri Portal for ArcGIS Sites.

💻 Affected Systems

Products:

Esri Portal for ArcGIS Sites

Versions: 11.1 and below

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated high-privilege access; affects all deployments with vulnerable versions.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full control over victim sessions, steal all accessible user data, completely compromise site integrity, and cause permanent service disruption.

🟠

Likely Case

Attackers steal session cookies and user data, modify site content to spread malware or phishing, and cause temporary service interruptions.

🟢

If Mitigated

Limited impact with proper access controls, network segmentation, and monitoring detecting anomalous configuration changes.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated high-privilege access but is technically simple once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply security patch for versions 11.1 and below

Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-enterprise-sites-security-patch-is-now-available/

Restart Required: Yes

Instructions:

1. Download security patch from Esri support. 2. Apply patch following Esri's installation guide. 3. Restart Portal services. 4. Verify patch application.

🔧 Temporary Workarounds

Restrict High-Privilege Access

all

Limit administrative access to only essential personnel and implement strict access controls.

Implement Content Security Policy

all

Deploy CSP headers to restrict script execution from unauthorized sources.

🧯 If You Can't Patch

Implement strict input validation and output encoding for all user-controlled data in site configurations.
Deploy web application firewall rules to block XSS payload patterns and monitor for exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check Portal version via administrative interface; if version is 11.1 or below, system is vulnerable.

Check Version:

Check via Portal web interface or administrative console for version information.

Verify Fix Applied:

Verify patch installation through Portal version check and test for XSS payload execution in site configuration fields.

📡 Detection & Monitoring

Log Indicators:

Unusual configuration changes by high-privilege users
JavaScript payloads in site configuration logs
Multiple failed XSS attempts

Network Indicators:

Unexpected JavaScript execution in browser sessions
Anomalous outbound data transfers following configuration access

SIEM Query:

source="portal_logs" AND (event="configuration_change" AND user_privilege="high") OR (message CONTAINS "script" OR "javascript")

📊 Metadata

CVE ID: CVE-2023-25835

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: July 21, 2023

Last Updated: February 6, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25835, you might also want to check these: