Search criteria
168 vulnerabilities found for arcgis_server by esri
FKIE_CVE-2025-57870
Vulnerability from fkie_nvd - Published: 2025-10-22 15:15 - Updated: 2025-10-31 18:51
Severity ?
Summary
A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@esri.com | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-feature-services-security-patch | Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * | |
| kubernetes | kubernetes | - | |
| linux | linux_kernel | - | |
| microsoft | windows | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B19FFADD-9CAD-438D-95BB-AA1C65EC2207",
"versionEndIncluding": "11.5",
"versionStartIncluding": "11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kubernetes:kubernetes:-:*:*:*:*:*:*:*",
"matchCriteriaId": "14C32308-314D-4E0D-B15F-6A68DF21E9F9",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
"matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase."
}
],
"id": "CVE-2025-57870",
"lastModified": "2025-10-31T18:51:22.923",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-10-22T15:15:51.830",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-feature-services-security-patch"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51966
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de path traversal en las versiones 10.9.1 a 11.3 de ESRI ArcGIS Server. Si se explota con \u00e9xito, es posible que un atacante remoto autenticado con privilegios de administrador pueda recorrer el sistema de archivos para acceder a archivos fuera del directorio previsto. No hay impacto en la integridad ni en la disponibilidad debido a la naturaleza de los archivos a los que se puede acceder, pero existe un alto potencial de impacto en la confidencialidad."
}
],
"id": "CVE-2024-51966",
"lastModified": "2025-04-10T20:15:21.850",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:43.387",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51963
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and follow that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and follow that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-51963",
"lastModified": "2025-04-10T20:15:21.723",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:43.240",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51962
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-03-06 14:34
Severity ?
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Summary
A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify Column properties allowing for the execution of a SQL Injection by a remote authenticated user with elevated (non admin) privileges. There is a high impact to integrity and confidentiality and no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in ArcGIS Server allows an EDIT\u00a0operation to modify Column properties allowing for the execution of a SQL Injection by a remote authenticated user with elevated (non admin) privileges.\u00a0 There is a high impact to integrity and confidentiality and no impact to availability."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en ArcGIS Server permite que una operaci\u00f3n EDIT modifique las propiedades de las columnas, lo que permite la ejecuci\u00f3n de una inyecci\u00f3n SQL por parte de un usuario autenticado remoto con privilegios elevados (no administrativos). Esto tiene un gran impacto en la integridad y la confidencialidad, pero no en la disponibilidad."
}
],
"id": "CVE-2024-51962",
"lastModified": "2025-03-06T14:34:53.797",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 5.8,
"source": "psirt@esri.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 5.8,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:43.043",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-5888
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-5888",
"lastModified": "2025-04-10T20:15:21.987",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:43.940",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51959
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-51959",
"lastModified": "2025-04-10T20:15:21.250",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:42.550",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51960
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-51960",
"lastModified": "2025-04-10T20:15:21.360",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:42.707",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51961
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server. Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server.\u00a0 Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de inclusi\u00f3n de archivos locales en ArcGIS Server 10.9.1 a 11.3 que puede permitir que un atacante remoto no autenticado manipule una URL que podr\u00eda revelar informaci\u00f3n de configuraci\u00f3n confidencial al leer archivos internos del servidor remoto. Debido a la naturaleza de los archivos a los que se puede acceder en esta vulnerabilidad, el impacto en la confidencialidad es alto y no hay impacto en la integridad ni en la disponibilidad."
}
],
"id": "CVE-2024-51961",
"lastModified": "2025-04-10T20:15:21.467",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:42.863",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-73"
}
],
"source": "psirt@esri.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-610"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-51956
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-51956",
"lastModified": "2025-04-10T20:15:20.883",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:42.063",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51958
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory.\u00a0 There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de path traversal en las versiones 10.9.1 a 11.3 de ESRI ArcGIS Server. Si se explota con \u00e9xito, es posible que un atacante remoto autenticado con privilegios de administrador pueda recorrer el sistema de archivos para acceder a archivos fuera del directorio previsto. No hay impacto en la integridad ni en la disponibilidad debido a la naturaleza de los archivos a los que se puede acceder, pero existe un alto potencial de impacto en la confidencialidad."
}
],
"id": "CVE-2024-51958",
"lastModified": "2025-04-10T20:15:21.150",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:42.397",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51957
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-51957",
"lastModified": "2025-04-10T20:15:21.020",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:42.217",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51950
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-51950",
"lastModified": "2025-04-10T20:15:20.270",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:41.277",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51952
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-51952",
"lastModified": "2025-04-10T20:15:20.497",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:41.593",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51949
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-51949",
"lastModified": "2025-04-10T20:15:20.140",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:41.110",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51951
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-51951",
"lastModified": "2025-04-10T20:15:20.387",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:41.437",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51953
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-51953",
"lastModified": "2025-04-10T20:15:20.617",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:41.747",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51954
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
8.5 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Summary
There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux, which under unique circumstances, could potentially allow a remote, low privileged authenticated attacker to access secure services published a standalone (Unfederated)
ArcGIS Server instance. If successful this compromise would have a high impact on Confidentiality, low impact on integrity and no impact to availability of the software.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * | |
| linux | linux_kernel | - | |
| microsoft | windows | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
"matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux, which under unique circumstances, could potentially allow a remote, low privileged authenticated attacker to access secure services published a standalone\u00a0(Unfederated)\n\nArcGIS Server instance.\u00a0 If successful this compromise would have a high impact on Confidentiality, low impact on integrity and no impact to availability of the software."
},
{
"lang": "es",
"value": "Existe un problema de control de acceso inadecuado en las versiones 10.9.1 a 11.3 de ArcGIS Server en Windows y Linux que, en circunstancias excepcionales, podr\u00eda permitir que un atacante remoto autenticado con pocos privilegios acceda a servicios seguros publicados en una instancia independiente (no federada) de ArcGIS Server. Si tiene \u00e9xito, esta vulneraci\u00f3n tendr\u00eda un gran impacto en la confidencialidad, un bajo impacto en la integridad y ning\u00fan impacto en la disponibilidad del software."
}
],
"id": "CVE-2024-51954",
"lastModified": "2025-04-10T20:15:20.743",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.7,
"source": "psirt@esri.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:41.903",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "psirt@esri.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-51942
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-51942",
"lastModified": "2025-04-10T20:15:19.447",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:40.167",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51945
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-51945",
"lastModified": "2025-04-10T20:15:19.690",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:40.483",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51946
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-51946",
"lastModified": "2025-04-10T20:15:19.797",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:40.640",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51944
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-51944",
"lastModified": "2025-04-10T20:15:19.567",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:40.327",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51948
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-51948",
"lastModified": "2025-04-10T20:15:20.023",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:40.953",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-51947
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-51947",
"lastModified": "2025-04-10T20:15:19.910",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:40.797",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-10904
Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
"versionEndIncluding": "11.3",
"versionStartIncluding": "10.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
}
],
"id": "CVE-2024-10904",
"lastModified": "2025-04-10T20:15:18.297",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@esri.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-03T20:15:39.990",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@esri.com",
"type": "Primary"
}
]
}
CVE-2025-57870 (GCVE-0-2025-57870)
Vulnerability from cvelistv5 – Published: 2025-10-22 14:26 – Updated: 2025-10-23 03:55
VLAI?
Summary
A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.
Severity ?
10 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | ArcGIS Server |
Affected:
11.3 , ≤ 11.5
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T03:55:33.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux",
"kubernetes"
],
"product": "ArcGIS Server",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.5",
"status": "affected",
"version": "11.3",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-10-22T14:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\n\n\n\u003c/p\u003e\u003cp\u003eA SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u0026nbsp;"
}
],
"value": "A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase."
}
],
"impacts": [
{
"capecId": "CAPEC-108",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-108 Command Line Execution through SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T14:26:22.857Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-feature-services-security-patch"
}
],
"source": {
"defect": [
"BUG-000179884"
],
"discovery": "EXTERNAL"
},
"title": "BUG-000179884 - There is a security vulnerability in ArcGIS Server Feature Services.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57870",
"datePublished": "2025-10-22T14:26:22.857Z",
"dateReserved": "2025-08-21T19:31:57.229Z",
"dateUpdated": "2025-10-23T03:55:33.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51966 (GCVE-0-2024-51966)
Vulnerability from cvelistv5 – Published: 2025-03-03 19:59 – Updated: 2025-04-10 19:29
VLAI?
Summary
There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality.
Severity ?
4.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | ArcGIS Server |
Affected:
all , ≤ 11.3
(all)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51966",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T20:33:38.782915Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T20:33:46.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "ArcGIS Server",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.3",
"status": "affected",
"version": "all",
"versionType": "all"
}
]
}
],
"datePublic": "2025-02-28T20:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality.\u0026nbsp;"
}
],
"value": "There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T19:29:07.421Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"source": {
"defect": [
"BUG-000171445"
],
"discovery": "INTERNAL"
},
"title": "Directory traversal vulnerability in ArcGIS Server",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2024-51966",
"datePublished": "2025-03-03T19:59:14.080Z",
"dateReserved": "2024-11-04T16:54:40.931Z",
"dateUpdated": "2025-04-10T19:29:07.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51963 (GCVE-0-2024-51963)
Vulnerability from cvelistv5 – Published: 2025-03-03 19:59 – Updated: 2025-04-10 19:22
VLAI?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and follow that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | ArcGIS Server |
Affected:
all , ≤ 11.3
(all)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T20:33:55.868487Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T20:34:05.145Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "ArcGIS Server",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.3",
"status": "affected",
"version": "all",
"versionType": "all"
}
]
}
],
"datePublic": "2025-02-28T20:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and follow that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
}
],
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and follow that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T19:22:58.294Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"source": {
"defect": [
"BUG-000171441"
],
"discovery": "UNKNOWN"
},
"title": "Stored XSS in ArcGIS Server Manager",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2024-51963",
"datePublished": "2025-03-03T19:59:01.450Z",
"dateReserved": "2024-11-04T16:54:40.930Z",
"dateUpdated": "2025-04-10T19:22:58.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57870 (GCVE-0-2025-57870)
Vulnerability from nvd – Published: 2025-10-22 14:26 – Updated: 2025-10-23 03:55
VLAI?
Summary
A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.
Severity ?
10 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | ArcGIS Server |
Affected:
11.3 , ≤ 11.5
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T03:55:33.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux",
"kubernetes"
],
"product": "ArcGIS Server",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.5",
"status": "affected",
"version": "11.3",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-10-22T14:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\n\n\n\u003c/p\u003e\u003cp\u003eA SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u0026nbsp;"
}
],
"value": "A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase."
}
],
"impacts": [
{
"capecId": "CAPEC-108",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-108 Command Line Execution through SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T14:26:22.857Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-feature-services-security-patch"
}
],
"source": {
"defect": [
"BUG-000179884"
],
"discovery": "EXTERNAL"
},
"title": "BUG-000179884 - There is a security vulnerability in ArcGIS Server Feature Services.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2025-57870",
"datePublished": "2025-10-22T14:26:22.857Z",
"dateReserved": "2025-08-21T19:31:57.229Z",
"dateUpdated": "2025-10-23T03:55:33.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51966 (GCVE-0-2024-51966)
Vulnerability from nvd – Published: 2025-03-03 19:59 – Updated: 2025-04-10 19:29
VLAI?
Summary
There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality.
Severity ?
4.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | ArcGIS Server |
Affected:
all , ≤ 11.3
(all)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51966",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T20:33:38.782915Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T20:33:46.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "ArcGIS Server",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.3",
"status": "affected",
"version": "all",
"versionType": "all"
}
]
}
],
"datePublic": "2025-02-28T20:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality.\u0026nbsp;"
}
],
"value": "There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T19:29:07.421Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"source": {
"defect": [
"BUG-000171445"
],
"discovery": "INTERNAL"
},
"title": "Directory traversal vulnerability in ArcGIS Server",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2024-51966",
"datePublished": "2025-03-03T19:59:14.080Z",
"dateReserved": "2024-11-04T16:54:40.931Z",
"dateUpdated": "2025-04-10T19:29:07.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51963 (GCVE-0-2024-51963)
Vulnerability from nvd – Published: 2025-03-03 19:59 – Updated: 2025-04-10 19:22
VLAI?
Summary
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and follow that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Esri | ArcGIS Server |
Affected:
all , ≤ 11.3
(all)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T20:33:55.868487Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T20:34:05.145Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "ArcGIS Server",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "11.3",
"status": "affected",
"version": "all",
"versionType": "all"
}
]
}
],
"datePublic": "2025-02-28T20:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and follow that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
}
],
"value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and follow that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T19:22:58.294Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
}
],
"source": {
"defect": [
"BUG-000171441"
],
"discovery": "UNKNOWN"
},
"title": "Stored XSS in ArcGIS Server Manager",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2024-51963",
"datePublished": "2025-03-03T19:59:01.450Z",
"dateReserved": "2024-11-04T16:54:40.930Z",
"dateUpdated": "2025-04-10T19:22:58.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}