CVE-2025-55104 is a stored cross-site scripting (XSS) vulnerability identified in Esri's Portal for ArcGIS Enterprise Sites, specifically affecting version 10.9.1. This vulnerability arises due to improper neutralization of input during web page generation (CWE-79). An authenticated user with permissions to create or edit a site can inject malicious JavaScript code into the site content, which is then stored persistently. When any user subsequently accesses the affected site page, the malicious script executes in their browser context. This can lead to unauthorized actions such as session hijacking, credential theft, or unauthorized operations performed on behalf of the victim user. The vulnerability requires both authentication and user interaction (visiting the infected page) to trigger the exploit. The CVSS v3.1 base score is 4.8 (medium severity), reflecting that the attack vector is network-based with low attack complexity but requires privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects components beyond the initially vulnerable component, potentially impacting other users or systems. No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability impacts confidentiality and integrity but does not affect availability. Given the nature of the vulnerability, it primarily threatens users who access the compromised sites and the overall trustworthiness of the portal content.

For European organizations using Esri Portal for ArcGIS Enterprise Sites, this vulnerability poses a risk to the confidentiality and integrity of user sessions and data. Since ArcGIS Enterprise Sites are often used by government agencies, urban planners, environmental organizations, and utilities across Europe for geospatial data sharing and collaboration, exploitation could lead to unauthorized data access or manipulation. Attackers could leverage this XSS to steal session cookies, perform actions on behalf of legitimate users, or deliver further malware payloads. This could undermine trust in critical geospatial services and potentially disrupt decision-making processes that rely on accurate GIS data. The requirement for authenticated access limits the attack surface to internal or trusted users, but insider threats or compromised accounts could be leveraged. The medium severity score suggests a moderate risk, but the strategic importance of GIS platforms in Europe elevates the potential operational impact. Additionally, the cross-site scripting vulnerability could be used as a stepping stone for more complex attacks within interconnected enterprise environments.

European organizations should implement the following specific mitigations: 1) Restrict site creation and editing privileges strictly to trusted and trained personnel to minimize the risk of malicious payload injection. 2) Implement rigorous input validation and output encoding on all user-supplied content within the portal, especially for fields that allow HTML or script content. 3) Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the portal. 4) Monitor and audit site content changes regularly for suspicious or unexpected script insertions. 5) Educate users about the risks of XSS and encourage cautious behavior when interacting with portal content. 6) Maintain strict session management and consider implementing HttpOnly and Secure flags on cookies to reduce session hijacking risks. 7) Apply any vendor patches or updates as soon as they become available, and engage with Esri support to obtain interim fixes or workarounds. 8) Consider network segmentation and access controls to limit exposure of the portal to only necessary users and systems. 9) Use web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting the portal.