CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-51944 – Stored XSS in Rest Services Directory
https://notcve.org/view.php?id=CVE-2024-51944
03 Mar 2025 — There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-51942 – Stored XSS vulnerability in Rest Admin API under Hosted Feature Services page
https://notcve.org/view.php?id=CVE-2024-51942
03 Mar 2025 — There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-10904 – Stored XSS in Server Admin API
https://notcve.org/view.php?id=CVE-2024-10904
03 Mar 2025 — There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-5888 – Stored XSS in Rest Services API for a Toolbox published as GP Service
https://notcve.org/view.php?id=CVE-2024-5888
03 Mar 2025 — There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1726 – [#BUG-000172669 ArcGIS Monitor has a security vulnerability]
https://notcve.org/view.php?id=CVE-2025-1726
26 Feb 2025 — There is a SQL injection issue in Esri ArcGIS Monitor versions 2023.0 through 2024.x on Windows and Linux that allows a remote, authenticated attacker with low privileges to improperly read limited database schema information by passing crafted queries. While it is possible to enumerate some internal database identifiers, the impact to the confidentiality vector is "LOW' because any sensitive data returned in a response is encrypted. There is no evidence of impact to the integrity or availability vectors. T... • https://www.esri.com/arcgis-blog/products/monitor/administration/whats-new-in-arcgis-monitor-2024-1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-1068 – There is a code injection vulnerability in Esri ArcGIS AllSource
https://notcve.org/view.php?id=CVE-2025-1068
25 Feb 2025 — There is an untrusted search path vulnerability in Esri ArcGIS AllSource 1.2 and 1.3 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS AllSource, the file could execute and run malicious commands under the context of the victim. This issue is corrected in ArcGIS AllSource 1.2.1 and 1.3.1. • https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-pro-and-arcgis-allsource-patches-address-high-severity-vulnerabilities • CWE-426: Untrusted Search Path •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-1067 – There is a code injection vulnerability in ArcGIS Pro
https://notcve.org/view.php?id=CVE-2025-1067
25 Feb 2025 — There is an untrusted search path vulnerability in Esri ArcGIS Pro 3.3 and 3.4 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS ArcGIS Pro, the file could execute and run malicious commands under the context of the victim. This issue is addressed in ArcGIS Pro 3.3.3 and 3.4.1. There is an untrusted search path vulnerability in Esri ArcGIS Pro 3.3 and 3.4 that ... • https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-pro-and-arcgis-allsource-patches-address-high-severity-vulnerabilities • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-38040 – BUG-000167984 - Portal for ArcGIS has a Local file inclusion (LFI) vulnerability
https://notcve.org/view.php?id=CVE-2024-38040
04 Oct 2024 — There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2. 11.1, 11.0 and 10.9.1 that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released • CWE-73: External Control of File Name or Path •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38038 – BUG-000165732 - Reflected XSS in Portal for ArcGIS
https://notcve.org/view.php?id=CVE-2024-38038
04 Oct 2024 — There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1, 10.8.1 and 10.7.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-25691 – BUG-000165286 - Reflected XSS in Portal for ArcGIS
https://notcve.org/view.php?id=CVE-2024-25691
04 Oct 2024 — There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1, 10.9.1 and 10.8.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •