CVE-2023-25841: 
ArcGIS Server vulnerability analysis and mitigation

CVE-2023-25841 is a stored Cross-site Scripting (XSS) vulnerability affecting Esri ArcGIS Server versions 10.8.1 through 11.0 on both Windows and Linux platforms. The vulnerability was disclosed and patched on June 28, 2023, allowing remote, unauthenticated attackers to create crafted content that could execute arbitrary JavaScript code in a victim's browser when clicked (Esri Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 Base Score of 6.1 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but needs user interaction (UI:R). The scope is changed (S:C) with low impacts on both confidentiality and integrity (C:L, I:L) and no impact on availability (A:N) (NVD).

When successfully exploited, the vulnerability allows attackers to execute arbitrary JavaScript code in the victim's browser, potentially leading to unauthorized access to sensitive information and manipulation of web content. The impact is characterized by low confidentiality and integrity breaches, with no direct impact on system availability (Esri Advisory).

Esri released a security patch on June 28, 2023, to address this vulnerability. The primary mitigation strategy is to disable anonymous access to ArcGIS Feature services with edit capabilities. Users of affected versions (10.8.1 through 11.0) are strongly recommended to install the security patch. Users on version 10.7.1 should upgrade to either version 11.1 (preferred), 10.9.1, or 10.8.1 and install available security patches (Esri Advisory).