CVE-2025-57876
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
| Software | From | Fixed in |
|---|---|---|
| esri / portal_for_arcgis | 10.9.1 | 10.9.1.x |
| esri / portal_for_arcgis | 10.9.1-security_2025_update1 | 10.9.1-security_2025_update1.x |
| esri / portal_for_arcgis | 10.9.1-security_2025_update2 | 10.9.1-security_2025_update2.x |
| esri / portal_for_arcgis | 11.0 | 11.0.x |
| esri / portal_for_arcgis | 11.1 | 11.1.x |
| esri / portal_for_arcgis | 11.1-security_2024_update1 | 11.1-security_2024_update1.x |
| esri / portal_for_arcgis | 11.1-security_2024_update2 | 11.1-security_2024_update2.x |
| esri / portal_for_arcgis | 11.1-security_2025_update1 | 11.1-security_2025_update1.x |
| esri / portal_for_arcgis | 11.1-security_2025_update2 | 11.1-security_2025_update2.x |
| esri / portal_for_arcgis | 11.2 | 11.2.x |
| esri / portal_for_arcgis | 11.2-security_2024_update1 | 11.2-security_2024_update1.x |
| esri / portal_for_arcgis | 11.2-security_2024_update2 | 11.2-security_2024_update2.x |
| esri / portal_for_arcgis | 11.2-security_2025_update1 | 11.2-security_2025_update1.x |
| esri / portal_for_arcgis | 11.2-security_2025_update2 | 11.2-security_2025_update2.x |
| esri / portal_for_arcgis | 11.3 | 11.3.x |
| esri / portal_for_arcgis | 11.3-security_2025_update1 | 11.3-security_2025_update1.x |
| esri / portal_for_arcgis | 11.3-security_2025_update2 | 11.3-security_2025_update2.x |
| esri / portal_for_arcgis | 11.4 | 11.4.x |
| esri / portal_for_arcgis | 11.4-security_2025_update1 | 11.4-security_2025_update1.x |
| esri / portal_for_arcgis | 11.4-security_2025_update2 | 11.4-security_2025_update2.x |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime