Skip to main content

Security Research

 

This page documents my security research and responsible disclosures

List of CVEs:

- November 29th 2025 - https://www.cve.org/CVERecord?id=CVE-2025-67712 "HTML injection issue in ArcGIS Web App Builder" - Responsible Disclosure to ESRI. Fix in version 2.30.

Comments

Post a Comment

Popular posts from this blog

CVE-2025-67712 - Technical Analysis, Proof of Concept (PoC) and Mitigation

CVE-2025-67712 Executive Summary: Product: Esri ArcGIS Web AppBuilder (Developer Edition) Affected Versions: All versions prior to 2.30 Vulnerability Type: HTML Injection (Unauthenticated) Severity: Medium Status: Retired / Unsupported (EOL) Fix/Mitigation: https://support.esri.com/en-us/knowledge-base/deprecation-arcgis-web-appbuilder-000036340 At least one public-facing deployment remained vulnerable at the time of disclosure. Note: Since this software version has received "unsupported-when-assigned" (EOL) status, users on versions earlier than 2.30 will not receive an official patch. This write-up aims to document the vulnerability to help administrators still relying on legacy environments to implement proper mitigations. Description: I have discovered a HTML Injection vulnerability in the Developer Edition of ArcGIS Web AppBuilder. A remote, unauthenticated attacker can craft a malicious URL that, when clicked b...
Post a Comment
Read more