nvd-json-data-feeds/CVE-2024/CVE-2024-257xx/CVE-2024-25704.json

{
  "id": "CVE-2024-25704",
  "sourceIdentifier": "psirt@esri.com",
  "published": "2024-04-04T18:15:12.343",
  "lastModified": "2024-04-04T19:24:50.670",
  "vulnStatus": "Awaiting Analysis",
  "descriptions": [
    {
      "lang": "en",
      "value": "There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Experience Builder versions <= 11.1 that may allow a remote, authenticated attacker to create a crafted link that is stored in the Experience Builder Embed widget which when loaded could potentially execute arbitrary JavaScript code in the victim\u2019s browser.  The privileges required to execute this attack are high.\u00a0"
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de Cross-Site Scripting almacenada en Esri Portal for ArcGIS Enterprise Experience Builder versiones &lt;= 11.1 que puede permitir que un atacante remoto y autenticado cree un enlace manipulado que se almacena en el widget de inserci\u00f3n de Experience Builder que, cuando se carga, podr\u00eda ejecutarse de forma arbitraria. C\u00f3digo JavaScript en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son elevados."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "psirt@esri.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "HIGH",
          "userInteraction": "REQUIRED",
          "scope": "CHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7
      }
    ]
  },
  "weaknesses": [
    {
      "source": "psirt@esri.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2/",
      "source": "psirt@esri.com"
    }
  ]
}
Auto-Update: 2024-04-04T20:00:37.748304+00:00 2024-04-04 20:03:26 +00:00			`{`
			`"id": "CVE-2024-25704",`
			`"sourceIdentifier": "psirt@esri.com",`
			`"published": "2024-04-04T18:15:12.343",`
			`"lastModified": "2024-04-04T19:24:50.670",`
			`"vulnStatus": "Awaiting Analysis",`
			`"descriptions": [`
			`{`
			`"lang": "en",`
			`"value": "There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Experience Builder versions <= 11.1 that may allow a remote, authenticated attacker to create a crafted link that is stored in the Experience Builder Embed widget which when loaded could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high.\u00a0"`
Auto-Update: 2024-04-07T02:00:29.445860+00:00 2024-04-07 02:03:21 +00:00			`},`
			`{`
			`"lang": "es",`
			`"value": "Existe una vulnerabilidad de Cross-Site Scripting almacenada en Esri Portal for ArcGIS Enterprise Experience Builder versiones <= 11.1 que puede permitir que un atacante remoto y autenticado cree un enlace manipulado que se almacena en el widget de inserci\u00f3n de Experience Builder que, cuando se carga, podr\u00eda ejecutarse de forma arbitraria. C\u00f3digo JavaScript en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son elevados."`
Auto-Update: 2024-04-04T20:00:37.748304+00:00 2024-04-04 20:03:26 +00:00			`}`
			`],`
			`"metrics": {`
			`"cvssMetricV31": [`
			`{`
			`"source": "psirt@esri.com",`
			`"type": "Secondary",`
			`"cvssData": {`
			`"version": "3.1",`
			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",`
			`"attackVector": "NETWORK",`
			`"attackComplexity": "LOW",`
			`"privilegesRequired": "HIGH",`
			`"userInteraction": "REQUIRED",`
			`"scope": "CHANGED",`
			`"confidentialityImpact": "LOW",`
			`"integrityImpact": "LOW",`
			`"availabilityImpact": "NONE",`
			`"baseScore": 4.8,`
			`"baseSeverity": "MEDIUM"`
			`},`
			`"exploitabilityScore": 1.7,`
			`"impactScore": 2.7`
			`}`
			`]`
			`},`
			`"weaknesses": [`
			`{`
			`"source": "psirt@esri.com",`
			`"type": "Primary",`
			`"description": [`
			`{`
			`"lang": "en",`
			`"value": "CWE-79"`
			`}`
			`]`
			`}`
			`],`
			`"references": [`
			`{`
			`"url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2/",`
			`"source": "psirt@esri.com"`
			`}`
			`]`
			`}`