CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-51942 – Stored XSS vulnerability in Rest Admin API under Hosted Feature Services page
https://notcve.org/view.php?id=CVE-2024-51942
03 Mar 2025 — There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-10904 – Stored XSS in Server Admin API
https://notcve.org/view.php?id=CVE-2024-10904
03 Mar 2025 — There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-5888 – Stored XSS in Rest Services API for a Toolbox published as GP Service
https://notcve.org/view.php?id=CVE-2024-5888
03 Mar 2025 — There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25848 – BUG-000158039 - There is an information disclosure issue in ArcGIS Server.
https://notcve.org/view.php?id=CVE-2023-25848
25 Aug 2023 — ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. The information disclosed is limited to a single attribute in a database connection string. No business data is disclosed. • https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2023-25841 – BUG-000158075 Stored XSS issue in ArcGIS Server
https://notcve.org/view.php?id=CVE-2023-25841
21 Jul 2023 — There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 10.8.1 – 11.0 on Windows and Linux platforms that may allow a remote, unauthenticated attacker to create crafted content which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. Mitigation: Disable anonymous access to ArcGIS Feature services with edit capabilities. • https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-security-2023-update-1-patch-available • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.4EPSS: 0%CPEs: 3EXPL: 0CVE-2023-25840 – BUG-000154070 Stored XSS issue in the ArcGIS REST Services directory
https://notcve.org/view.php?id=CVE-2023-25840
21 Jul 2023 — There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 10.8.1 – 11.1 that may allow a remote, authenticated attacker to create a crafted link which onmouseover wont execute but could potentially render an image in the victims browser. The privileges required to execute this attack are high. There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 10.8.1 – 11.1 that may allow a remote, authenticated attacker to create a crafted link which onmouseover wont execute but cou... • https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-security-2023-update-1-patch-available • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38202 – BUG-000152121 - Directory traversal vulnerability in ArcGIS Server.
https://notcve.org/view.php?id=CVE-2022-38202
28 Dec 2022 — There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote, unauthenticated attacker traverse the file system to access files outside of the intended directory on ArcGIS Server. This could lead to the disclosure of sensitive site configuration information (not user datasets). Existe una vulnerabilidad de path traversal en las versiones 10.9.1 y anteriores de Esri ArcGIS Server. La explotación exitosa puede permitir que un atacante remo... • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2022-update-2-patch-is-now-available • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38195 – BUG-000150540 - Reflected XSS vulnerability in ArcGIS Server
https://notcve.org/view.php?id=CVE-2022-38195
25 Oct 2022 — There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthorized attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. Se presenta un problema de tipo cross site scripting reflejado en Esri ArcGIS Server versiones 10.9.1 y posteriores, que puede permitir a un atacante remoto no autorizado convencer a un usuario de que haga clic en un enlace diseñado q... • https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38196 – BUG-000150537 - ArcGIS Server has a local file inclusion (LFI) vulnerability
https://notcve.org/view.php?id=CVE-2022-38196
25 Oct 2022 — Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory. Esri ArcGIS Server versiones 10.9.1 y anteriores, presentan una vulnerabilidad de salto de ruta que puede resultar en una denegación de servicio al permitir que un atacante remoto y autenticado sobrescriba el directorio interno de ArcGIS Server • https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38197 – BUG-000148347 Unvalidated redirect issues in ArcGIS Server.
https://notcve.org/view.php?id=CVE-2022-38197
25 Oct 2022 — Esri ArcGIS Server versions 10.9.1 and below have an unvalidated redirect issue that may allow a remote, unauthenticated attacker to phish a user into accessing an attacker controlled website via a crafted query parameter. Esri ArcGIS Server versiones 10.9.1 y posteriores de Esri ArcGIS Server presentan un problema de redireccionamiento no comprobado que puede permitir a un atacante remoto no autenticado engañar a un usuario para que acceda a un sitio web controlado por un atacante por medio de un parámetro... • https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •