CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 0CVE-2013-5221
https://notcve.org/view.php?id=CVE-2013-5221
The mobile-upload feature in Esri ArcGIS for Server 10.1 through 10.2 allows remote authenticated users to upload .exe files by leveraging (1) publisher or (2) administrator privileges. La funcionalidad "mobile-upload" en Esri ArcGIS para Server v10.1 hasta v10.2 permite a los usuarios autenticados remotamente subir ficheros .exe aprovechando privilegios de editor o administrador. • http://support.esri.com/en/downloads/patches-servicepacks/view/productid/66/metaid/2009 http://support.esri.com/en/knowledgebase/techarticles/detail/41497 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2012-4949 – ESRI ArcGIS for Server - 'where' SQL Injection
https://notcve.org/view.php?id=CVE-2012-4949
SQL injection vulnerability in ESRI ArcGIS 10.1 allows remote authenticated users to execute arbitrary SQL commands via the where parameter to a query URI for a REST service. Una vulnerabilidad de inyección SQL en ArcGIS v10.1 permite a usuarios remotos autenticados ejecutar comandos SQL de su elección a través del parámetro 'where' a una URI de consulta de un servicio REST. • https://www.exploit-db.com/exploits/38016 http://www.kb.cert.org/vuls/id/795644 https://exchange.xforce.ibmcloud.com/vulnerabilities/79977 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •