cvelistv5 - cve-2024-51957

CVE-2024-51957 (GCVE-0-2024-51957)

Vulnerability from cvelistv5 – Published: 2025-03-03 19:57 – Updated: 2025-04-10 19:24

Summary

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

Esri

References

URL

Tags

https://www.esri.com/arcgis-blog/products/trust-a…

Impacted products

	Vendor	Product	Version
	Esri	ArcGIS Server	Affected: all , ≤ 11.3 (all)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-51957",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-03T20:52:45.932815Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-03T20:52:57.354Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows",
            "Linux"
          ],
          "product": "ArcGIS Server",
          "vendor": "Esri",
          "versions": [
            {
              "lessThanOrEqual": "11.3",
              "status": "affected",
              "version": "all",
              "versionType": "all"
            }
          ]
        }
      ],
      "datePublic": "2025-02-28T20:34:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser.  The privileges required to execute this attack are high, requiring publisher capabilities.  The impact is low to both confidentiality and integrity while having no impact to availability."
            }
          ],
          "value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser.  The privileges required to execute this attack are high, requiring publisher capabilities.  The impact is low to both confidentiality and integrity while having no impact to availability."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-10T19:24:28.253Z",
        "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "shortName": "Esri"
      },
      "references": [
        {
          "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
        }
      ],
      "source": {
        "defect": [
          "BUG-000172289"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Stored XSS vulnerability in ArcGIS Rest Services Directory",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
    "assignerShortName": "Esri",
    "cveId": "CVE-2024-51957",
    "datePublished": "2025-03-03T19:57:35.813Z",
    "dateReserved": "2024-11-04T16:54:39.392Z",
    "dateUpdated": "2025-04-10T19:24:28.253Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-51957\",\"sourceIdentifier\":\"psirt@esri.com\",\"published\":\"2025-03-03T20:15:42.217\",\"lastModified\":\"2025-04-10T20:15:21.020\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser.  The privileges required to execute this attack are high, requiring publisher capabilities.  The impact is low to both confidentiality and integrity while having no impact to availability.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@esri.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"psirt@esri.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.9.1\",\"versionEndIncluding\":\"11.3\",\"matchCriteriaId\":\"0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0\"}]}]}],\"references\":[{\"url\":\"https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/\",\"source\":\"psirt@esri.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-51957\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-03T20:52:45.932815Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-03T20:52:51.441Z\"}}], \"cna\": {\"title\": \"Stored XSS vulnerability in ArcGIS Rest Services Directory\", \"source\": {\"defect\": [\"BUG-000172289\"], \"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-63\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-63 Cross-Site Scripting (XSS)\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Esri\", \"product\": \"ArcGIS Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"all\", \"versionType\": \"all\", \"lessThanOrEqual\": \"11.3\"}], \"platforms\": [\"Windows\", \"Linux\"], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2025-02-28T20:34:00.000Z\", \"references\": [{\"url\": \"https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\\u2019s browser.  The privileges required to execute this attack are high, requiring publisher capabilities.  The impact is low to both confidentiality and integrity while having no impact to availability.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\\u2019s browser.  The privileges required to execute this attack are high, requiring publisher capabilities.  The impact is low to both confidentiality and integrity while having no impact to availability.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"cedc17bb-4939-4f40-a1f4-30ae8af1094e\", \"shortName\": \"Esri\", \"dateUpdated\": \"2025-04-10T19:24:28.253Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-51957\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-10T19:24:28.253Z\", \"dateReserved\": \"2024-11-04T16:54:39.392Z\", \"assignerOrgId\": \"cedc17bb-4939-4f40-a1f4-30ae8af1094e\", \"datePublished\": \"2025-03-03T19:57:35.813Z\", \"assignerShortName\": \"Esri\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-5GGX-8W3F-H4GF

Vulnerability from github – Published: 2025-03-03 21:31 – Updated: 2025-04-10 21:31

Details

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Severity ?

4.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-51957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-03T20:15:42Z",
    "severity": "MODERATE"
  },
  "details": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 \u2013 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser.  The privileges required to execute this attack are high, requiring publisher capabilities.  The impact is low to both confidentiality and integrity while having no impact to availability.",
  "id": "GHSA-5ggx-8w3f-h4gf",
  "modified": "2025-04-10T21:31:07Z",
  "published": "2025-03-03T21:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51957"
    },
    {
      "type": "WEB",
      "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2024-51957

Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	psirt@esri.com	https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/	Vendor Advisory

Impacted products

	Vendor	Product	Version
	esri	arcgis_server	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
              "versionEndIncluding": "11.3",
              "versionStartIncluding": "10.9.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim\u2019s browser.  The privileges required to execute this attack are high, requiring publisher capabilities.  The impact is low to both confidentiality and integrity while having no impact to availability."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de cross-site scripting almacenado en ArcGIS Server para las versiones 10.9.1 a 11.3 que puede permitir que un atacante remoto autenticado cree un v\u00ednculo almacenado y manipulado que, al hacer clic en \u00e9l, podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima. Los privilegios necesarios para ejecutar este ataque son altos y requieren capacidades de publicaci\u00f3n. El impacto es bajo tanto para la confidencialidad como para la integridad, pero no tiene impacto en la disponibilidad."
    }
  ],
  "id": "CVE-2024-51957",
  "lastModified": "2025-04-10T20:15:21.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "psirt@esri.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-03-03T20:15:42.217",
  "references": [
    {
      "source": "psirt@esri.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
    }
  ],
  "sourceIdentifier": "psirt@esri.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "psirt@esri.com",
      "type": "Primary"
    }
  ]
}

CNVD-2025-05073

Vulnerability from cnvd - Published: 2025-03-13

Title

Esri ArcGIS Server跨站脚本漏洞（CNVD-2025-05073）

Description

Esri ArcGIS Server是Esri公司的一个面向Web的可用于提供地理位置服务的企业级软件平台。 Esri ArcGIS Server 10.9.1至11.3版本存在跨站脚本漏洞，攻击者可利用此漏洞创建特制链接，点击后可能在受害者浏览器中执行任意JavaScript代码。

Severity

中

Patch Name

Esri ArcGIS Server跨站脚本漏洞（CNVD-2025-05073）的补丁

Patch Description

Esri ArcGIS Server是Esri公司的一个面向Web的可用于提供地理位置服务的企业级软件平台。 Esri ArcGIS Server 10.9.1至11.3版本存在跨站脚本漏洞，攻击者可利用此漏洞创建特制链接，点击后可能在受害者浏览器中执行任意JavaScript代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://support.esri.com/en-us/patches-updates/2025/arcgis-server-security-2025-update-1

Reference

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/

Impacted products

Name
ESRI ArcGIS Server >=10.9.1，<=11.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-51957",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-51957"
    }
  },
  "description": "Esri ArcGIS Server\u662fEsri\u516c\u53f8\u7684\u4e00\u4e2a\u9762\u5411Web\u7684\u53ef\u7528\u4e8e\u63d0\u4f9b\u5730\u7406\u4f4d\u7f6e\u670d\u52a1\u7684\u4f01\u4e1a\u7ea7\u8f6f\u4ef6\u5e73\u53f0\u3002\n\nEsri ArcGIS Server 10.9.1\u81f311.3\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u521b\u5efa\u7279\u5236\u94fe\u63a5\uff0c\u70b9\u51fb\u540e\u53ef\u80fd\u5728\u53d7\u5bb3\u8005\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610fJavaScript\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://support.esri.com/en-us/patches-updates/2025/arcgis-server-security-2025-update-1",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-05073",
  "openTime": "2025-03-13",
  "patchDescription": "Esri ArcGIS Server\u662fEsri\u516c\u53f8\u7684\u4e00\u4e2a\u9762\u5411Web\u7684\u53ef\u7528\u4e8e\u63d0\u4f9b\u5730\u7406\u4f4d\u7f6e\u670d\u52a1\u7684\u4f01\u4e1a\u7ea7\u8f6f\u4ef6\u5e73\u53f0\u3002\r\n\r\nEsri ArcGIS Server 10.9.1\u81f311.3\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u521b\u5efa\u7279\u5236\u94fe\u63a5\uff0c\u70b9\u51fb\u540e\u53ef\u80fd\u5728\u53d7\u5bb3\u8005\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610fJavaScript\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Esri ArcGIS Server\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2025-05073\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "ESRI ArcGIS Server \u003e=10.9.1\uff0c\u003c=11.3"
  },
  "referenceLink": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/",
  "serverity": "\u4e2d",
  "submitTime": "2025-03-07",
  "title": "Esri ArcGIS Server\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2025-05073\uff09"
}

WID-SEC-W-2025-0476

Vulnerability from csaf_certbund - Published: 2025-03-03 23:00 - Updated: 2025-03-03 23:00

Summary

ESRI ArcGIS: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

ArcGIS ist ein Geoinformationssystem.

Angriff

Ein entfernter, authentifizierter Angreifer kann mehrere Schwachstellen in ESRI ArcGIS ausnutzen, um Dateien zu manipulieren, Cross-Site-Scripting durchzuführen, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme

- Sonstiges - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "ArcGIS ist ein Geoinformationssystem.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentifizierter Angreifer kann mehrere Schwachstellen in ESRI ArcGIS ausnutzen, um Dateien zu manipulieren, Cross-Site-Scripting durchzuf\u00fchren, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0476 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0476.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0476 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0476"
      },
      {
        "category": "external",
        "summary": "ArcGIS Server Security 2025 Update 1 vom 2025-03-03",
        "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
      }
    ],
    "source_lang": "en-US",
    "title": "ESRI ArcGIS: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-03-03T23:00:00.000+00:00",
      "generator": {
        "date": "2025-03-04T10:32:52.564+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-0476",
      "initial_release_date": "2025-03-03T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-03-03T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Server Security \u003c2025 Update 1",
                "product": {
                  "name": "ESRI ArcGIS Server Security \u003c2025 Update 1",
                  "product_id": "T041548"
                }
              },
              {
                "category": "product_version",
                "name": "Server Security 2025 Update 1",
                "product": {
                  "name": "ESRI ArcGIS Server Security 2025 Update 1",
                  "product_id": "T041548-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:esri:arcgis:server_security__2025_update_1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "ArcGIS"
          }
        ],
        "category": "vendor",
        "name": "ESRI"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-51962",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51962"
    },
    {
      "cve": "CVE-2024-51954",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51954"
    },
    {
      "cve": "CVE-2024-51961",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51961"
    },
    {
      "cve": "CVE-2024-51958",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51958"
    },
    {
      "cve": "CVE-2024-51966",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51966"
    },
    {
      "cve": "CVE-2024-10904",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-10904"
    },
    {
      "cve": "CVE-2024-51942",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51942"
    },
    {
      "cve": "CVE-2024-51943",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51943"
    },
    {
      "cve": "CVE-2024-51944",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51944"
    },
    {
      "cve": "CVE-2024-51945",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51945"
    },
    {
      "cve": "CVE-2024-51946",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51946"
    },
    {
      "cve": "CVE-2024-51947",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51947"
    },
    {
      "cve": "CVE-2024-51948",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51948"
    },
    {
      "cve": "CVE-2024-51949",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51949"
    },
    {
      "cve": "CVE-2024-51950",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51950"
    },
    {
      "cve": "CVE-2024-51951",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51951"
    },
    {
      "cve": "CVE-2024-51952",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51952"
    },
    {
      "cve": "CVE-2024-51953",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51953"
    },
    {
      "cve": "CVE-2024-51956",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51956"
    },
    {
      "cve": "CVE-2024-51957",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51957"
    },
    {
      "cve": "CVE-2024-51959",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51959"
    },
    {
      "cve": "CVE-2024-51960",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51960"
    },
    {
      "cve": "CVE-2024-51963",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51963"
    },
    {
      "cve": "CVE-2024-5888",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-5888"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-51957 (GCVE-0-2024-51957)

GHSA-5GGX-8W3F-H4GF

FKIE_CVE-2024-51957

CNVD-2025-05073

WID-SEC-W-2025-0476

Tags

Sightings

Nomenclature