CVE-2022-38199 – BUG-000144172 - Remote file download issue in ArcGIS Server
https://notcve.org/view.php?id=CVE-2022-38199
A remote file download issue can occur in some capabilities of Esri ArcGIS Server web services that may in some edge cases allow a remote, unauthenticated attacker to induce an unsuspecting victim to launch a process in the victim's PATH environment. Current browsers provide users with warnings against running unsigned executables downloaded from the internet. Puede producirse un problema de descarga remota de archivos en algunas capacidades de los servicios web de Esri ArcGIS Server que, en algunos casos extremos, puede permitir a un atacante remoto no autenticado inducir a una víctima desprevenida a iniciar un proceso en el entorno PATH de la víctima. Los navegadores actuales proporcionan a usuarios advertencias contra la ejecución de ejecutables no firmados descargados de Internet • https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch • CWE-494: Download of Code Without Integrity Check •
CVE-2022-38200 – BUG-000142376 - Reflected Cross-Site Scripting (XSS) vulnerability in ArcGIS Server.
https://notcve.org/view.php?id=CVE-2022-38200
A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically crafted web requests can execute arbitrary JavaScript in the context of the victim's browser. Se presenta una vulnerabilidad de tipo cross site scripting en algunas configuraciones de servicios de mapas de ArcGIS Server versiones 10.8.1 y 10.7.1. Las peticiones web específicamente diseñadas pueden ejecutar JavaScript arbitrario en el contexto del navegador de la víctima • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-map-service-security-2022-update-1-is-now-available • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-38189 – There is a stored cross-site scripting (XSS) vulnerability in ArcGIS API for JavaScript.
https://notcve.org/view.php?id=CVE-2022-38189
A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser. Una vulnerabilidad de tipo Cross Site Scripting (XSS) almacenado en Esri Portal para ArcGIS puede permitir a un atacante remoto y autenticado pasar y almacenar cadenas maliciosas por medio de consultas diseñadas que, cuando es accedida a ellas, podrían ejecutar código JavaScript arbitrario en el navegador del usuario. • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-38184 – There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1
https://notcve.org/view.php?id=CVE-2022-38184
There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs. Se presenta una vulnerabilidad de control de acceso inapropiado en Portal para ArcGIS versiones 10.8.1 y anteriores, que podría permitir a un atacante remoto no autenticado acceder a una API que podría inducir a Esri Portal para ArcGIS a leer URLs arbitrarias. • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch • CWE-284: Improper Access Control •
CVE-2022-38192 – There is a stored cross-site scripting (XSS) vulnerability in ArcGIS API for JavaScript.
https://notcve.org/view.php?id=CVE-2022-38192
A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser. Una vulnerabilidad de tipo Cross Site Scripting (XSS) almacenado en Esri Portal para ArcGIS puede permitir a un atacante remoto y autenticado pasar y almacenar cadenas maliciosas por medio de consultas diseñadas que, cuando es accedido a ellas, podrían ejecutar código JavaScript arbitrario en el navegador del usuario. • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •