CVE-2025-55106 is a stored Cross-site Scripting (XSS) vulnerability identified in Esri Portal for ArcGIS Enterprise Sites, specifically affecting versions 10.9.1 through 11.4. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing a remote, authenticated attacker with high privileges to inject malicious files containing embedded JavaScript code. When such a file is loaded by a victim, the malicious script executes in the context of the victim’s browser. The exploitation requires user interaction (loading the malicious file) and high-level privileges, but if successful, it can disclose privileged tokens. These tokens could enable the attacker to escalate their access and potentially gain full control over the Portal for ArcGIS Enterprise Sites environment. The vulnerability has a CVSS v3.1 base score of 4.8 (medium severity), reflecting network attack vector, low attack complexity, high privileges required, user interaction needed, and a scope change with limited confidentiality and integrity impact but no availability impact. No known exploits are reported in the wild as of the publication date. The vulnerability affects a critical component used for enterprise geographic information system (GIS) portals, which are often integral to infrastructure, urban planning, environmental monitoring, and other strategic operations. The stored nature of the XSS means that malicious scripts persist on the server and can affect multiple users, increasing the risk of widespread compromise within affected organizations.

For European organizations using Esri Portal for ArcGIS Enterprise Sites, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive geospatial data and administrative controls. Successful exploitation could lead to unauthorized disclosure of privileged tokens, enabling attackers to assume administrative control of the portal. This could result in data manipulation, unauthorized data access, disruption of GIS services, and potential cascading effects on dependent systems and decision-making processes. Given the strategic importance of GIS data in sectors such as transportation, utilities, environmental management, and government services across Europe, the impact could extend to critical infrastructure and public safety. Additionally, the need for high privileges and user interaction somewhat limits the attack surface but does not eliminate the risk, especially in environments where multiple administrators or privileged users operate. The medium CVSS score reflects moderate risk, but the potential for privilege escalation and full portal control elevates the threat in high-value target environments.

To mitigate this vulnerability, European organizations should: 1) Immediately apply any available patches or updates from Esri once released, as no patch links were provided at the time of disclosure. 2) Restrict and monitor high-privilege accounts rigorously, limiting the number of users with administrative access to the portal. 3) Implement strict input validation and sanitization on all user-uploaded files and inputs within the portal environment, potentially using web application firewalls (WAFs) with custom rules to detect and block malicious scripts. 4) Conduct regular security audits and penetration testing focused on the portal’s web interfaces to detect any residual or related XSS vulnerabilities. 5) Educate privileged users about the risks of loading untrusted files and encourage cautious behavior to prevent inadvertent execution of malicious scripts. 6) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the portal. 7) Monitor logs for unusual activities related to file uploads and token access to detect early signs of exploitation attempts. These measures, combined with timely patching, will reduce the risk of exploitation and limit potential damage.