CVE-2024-38039

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80)

Published: Oct 4, 2024 / Updated: 46d ago

010
CVSS 5.4EPSS 0.04%Medium
CVE info copied to clipboard

Summary

There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim's browser (no stateful change made or customer data rendered).

Impact

This vulnerability could allow an attacker to perform a cross-site scripting (XSS) attack. When a victim clicks on a specially crafted link, arbitrary HTML could be rendered in their browser. This could lead to: 1. Theft of sensitive information: The attacker might be able to steal session cookies or other sensitive data from the victim's browser. 2. Phishing attacks: The injected HTML could be used to create convincing phishing forms or messages within the trusted context of the Esri Portal for ArcGIS interface. 3. Malware distribution: The attacker could potentially inject scripts that download and execute malware on the victim's system. 4. Defacement: The appearance of the application could be altered, potentially damaging the organization's reputation. It's important to note that this vulnerability requires user interaction (clicking on a malicious link) and does not allow for stateful changes or render customer data directly.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Esri has released Portal for ArcGIS Security 2024 Update 2 to address this vulnerability. The patch information can be found at: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/

Mitigation

To mitigate this vulnerability: 1. Update Esri Portal for ArcGIS to a version newer than 11.0, preferably to the latest patched version (Portal for ArcGIS Security 2024 Update 2). 2. If immediate updating is not possible, consider the following temporary measures: - Implement strict input validation and output encoding for user-supplied content. - Use Content Security Policy (CSP) headers to restrict the execution of scripts. - Educate users about the risks of clicking on unknown or suspicious links, even within the trusted ArcGIS environment. - Monitor for suspicious activities or unexpected HTML content within the Portal for ArcGIS interface. 3. Regularly check for and apply security updates from Esri for all ArcGIS products. 4. Implement the principle of least privilege for user accounts to minimize the potential impact of successful exploits.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-38039. See article

Sep 3, 2024 at 10:41 PM / ArcGIS Trust Center Archives - ArcGIS Blog
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 4, 2024 at 5:28 PM
CVE Assignment

NVD published the first details for CVE-2024-38039

Oct 4, 2024 at 6:15 PM
CVSS

A CVSS base score of 5.4 has been assigned.

Oct 4, 2024 at 6:20 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.6%)

Oct 6, 2024 at 3:05 AM
Static CVE Timeline Graph

Affected Systems

Esri/portal_for_arcgis
+null more

Patches

www.esri.com
+null more

Attack Patterns

CAPEC-18: XSS Targeting Non-Script Elements
+null more

References

Portal for ArcGIS Security 2024 Update 2 Released
CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’) Esri has released the Portal for ArcGIS Security 2024 Update 2 Patch that resolves multiple high and medium severity security vulnerabilities across versions 11.2, 11.1, 10.9.1, 10.8.1.

News

Multiple Vulnerabilities in Esri Portal for ArcGIS
Development Last Updated: 10/9/2024 CVEs: CVE-2024-38040 , CVE-2024-25707 , CVE-2024-38038 , CVE-2024-38039 , CVE-2024-8149 , CVE-2024-25701 , CVE-2024-38037 , CVE-2024-25702 , CVE-2024-25694 , CVE-2024-38036 , CVE-2024-25691 , CVE-2024-8148
NA - CVE-2024-38039 - There is an HTML injection vulnerability in...
There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could render...
CVE-2024-38039 - Esri Portal for ArcGIS HTML Injection
CVE ID : CVE-2024-38039 Published : Oct. 4, 2024, 6:15 p.m. 15 minutes ago Description : There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser (no stateful change made or customer data rendered). Severity: 5.4 MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-38039
There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser (no stateful change made or customer data...
CVE-2024-38039
There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser (no stateful change made or customer data rendered).
See 2 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI