Sambus Geospatial, GIS Company in West Africa > Blog > Blog > The Portal for ArcGIS Enterprise Sites 2023 Security Patch is now available

The Portal for ArcGIS Enterprise Sites 2023 Security Patch is now available

July 11, 2023 Blog

Portal for ArcGIS Enterprise Sites Security Patch is now available. This patch contains fixes for one high-security issue and multiple medium-priority security issues. Esri highly recommends customers use Portal for ArcGIS 11.1 through 10.8.1 to install this patch. Users at version 10.7.1 should upgrade to 10.9.1 or 11.1 and install this patch. ArcGIS 10.7.1 is in mature support status and no longer receives patches. Users working with ArcGIS Enterprise 10.7.1 and below are encouraged to upgrade to versions 11.1 (preferred), 10.9.1 or 10.8.1 and install available security patches.

This patch was released on June 28, 2023, and is available here.

Key highlights

  • Esri has released Security Patches for ArcGIS Enterprise Portal Sites.
  • These patches should be applied to each Portal for ArcGIS machines (Windows or Linux) that participate in an ArcGIS Enterprise Site.
  • Users and System Administrators:  Take the time to install these patches at your earliest opportunity to address these vulnerabilities.

We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess the risk of these vulnerabilities to their operations.  Both base and modified temporal scores are provided to reflect the availability of an official patch.

Vulnerabilities fixed by this patch

There is a Cross-site Scripting vulnerability in Esri Portal Sites in versions 10.8.1 – 11.1 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.  The privileges required to execute this attack are high.

CVE Details: CVE-2023-25835

  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • CVSSv3.1 Base Score: 8.4 (High) CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
  • CVSSv3.1 Environmentally Modified Score: 8.0 (High) CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H/RL:O
  • This issue affects ArcGIS Enterprise Sites: from 10.8.1 through 11.1.

ESRI Bug ID:  [BUG-000153659 – A stored Cross-Site Scripting (XSS) vulnerability in ArcGIS Enterprise Sites.]

There is a Cross-site Scripting vulnerability in Esri Portal Sites in versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.  The privileges required to execute this attack are low.

CVE Details: CVE-2023-25836

  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • CVSSv3.1 Base Score: 5.4 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
  • CVSSv3.1 Environmentally Modified Score: 5.2 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
  • This issue affects Portal sites: from 10.8.1 through 10.9.

ESRI Bug ID: [BUG-000135364 -There is a cross-site scripting (XSS) vulnerability in ArcGIS Enterprise Sites.]

There is a Cross-site Scripting vulnerability in Esri Portal Sites in versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.  The privileges required to execute this attack are high.

CVE Details: CVE-2023-25837

  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • CVSSv3.1 Base Score: 6.8 (Medium) CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
  • CVSSv3.1 Environmentally Modified Score: 6.5 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
  • This issue affects Portal sites: from 10.8.1 through 10.9.

ESRI Bug ID: [BUG-000133088 – XSS in ArcGIS Enterprise sites.]

Categories
BLOGS

You may also like