Esri has released the Portal for ArcGIS Enterprise Sites Security 2025 Update 1 Patch that resolves five medium severity XSS vulnerabilities in 11.4 and prior.
Customers with 11.5 and greater are not vulnerable however they should ensure that the 2025 Critical Best Practices are implemented.
As always, any customer using versions of our software in Mature or Retired status should plan their upgrade to a General Availability release version immediately, please see our ArcGIS Enterprise Life Cycle for current GA releases.
This patch was released on August 7th , 2025, and is available here.
We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess the risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.
Type of vulnerability
- CVE Details: CVE-2025-55103
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- Base CVSS 3.1: 4.8
- Temporal CVSS 3.1: 4.6
- CVE Details: CVE-2025-55104
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- Base CVSS 3.1: 4.8
- Temporal CVSS 3.1: 4.6
- CVE Details: CVE-2025-55105
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- Base CVSS 3.1: 4.8
- Temporal CVSS 3.1: 4.6
Commenting is not enabled for this article.