CVE-2025-55107 is a stored Cross-site Scripting (XSS) vulnerability identified in Esri Portal for ArcGIS Enterprise Sites, specifically affecting versions 10.9.1 through 11.4. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing an authenticated attacker with high privileges to inject malicious files containing embedded XSS scripts. When these malicious files are loaded by a victim, arbitrary JavaScript code can execute within the victim's browser context. The attack requires the attacker to be authenticated with elevated privileges, which limits the attack surface but increases the risk if such credentials are compromised or misused. Successful exploitation can lead to disclosure of privileged tokens, potentially granting the attacker full control over the Portal for ArcGIS Enterprise instance. The vulnerability has a CVSS v3.1 base score of 4.8 (medium severity), reflecting network attack vector, low attack complexity, high privileges required, and user interaction needed. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability impacts the confidentiality and integrity of the system by enabling token theft and unauthorized control, but does not directly affect availability. Given the critical role of Esri Portal for ArcGIS in managing geographic information systems (GIS) and spatial data, this vulnerability poses a significant risk to organizations relying on this platform for sensitive geospatial data and operations.

For European organizations, the impact of CVE-2025-55107 can be substantial, particularly for government agencies, urban planning departments, environmental monitoring bodies, and private sector companies that utilize Esri's ArcGIS Enterprise for critical geospatial data management. Exploitation could lead to unauthorized access to sensitive spatial data, manipulation of GIS resources, and potential disruption of services reliant on accurate geographic information. The disclosure of privileged tokens could allow attackers to escalate privileges, modify or exfiltrate data, and undermine trust in spatial data integrity. This is especially critical in sectors such as defense, infrastructure management, and emergency response, where compromised GIS data could have cascading effects on public safety and national security. The requirement for high privileges and user interaction somewhat limits the attack vector but does not eliminate risk, as insiders or compromised accounts could be leveraged. The medium CVSS score suggests moderate urgency, but the strategic importance of affected systems in Europe elevates the practical impact beyond the numeric score.

1. Immediate mitigation should focus on restricting access to the Portal for ArcGIS Enterprise Sites to trusted administrators and enforcing strict privilege management to minimize the number of users with high-level access. 2. Implement robust input validation and sanitization on all file upload and web page generation components to prevent injection of malicious scripts. 3. Monitor and audit user activities, especially those with elevated privileges, to detect anomalous behavior indicative of exploitation attempts. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the portal. 5. Regularly update and patch the Esri Portal for ArcGIS Enterprise Sites software as vendor patches become available; in the absence of patches, consider temporary disabling of file upload features or limiting file types accepted. 6. Educate administrators and users on the risks of XSS and the importance of cautious interaction with uploaded content. 7. Use multi-factor authentication (MFA) to reduce the risk of credential compromise for privileged accounts. 8. Conduct penetration testing and vulnerability assessments focused on web application security to identify and remediate similar issues proactively.