CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29106 – There is a reflected Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and below.
https://notcve.org/view.php?id=CVE-2021-29106
10 Jul 2021 — A reflected Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser. Una vulnerabilidad de Cross Site Scripting (XSS) reflejada en Esri ArcGIS Server versión 10.8.1 e inferior puede permitir que un atacante remoto pueda convencer a un usuario de que haga clic en un enlace elaborado que podría ejecutar código JavaScript ... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29107 – There is a stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below.
https://notcve.org/view.php?id=CVE-2021-29107
10 Jul 2021 — A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application. Una vulnerabilidad de tipo Cross Site Scripting (XXS) almacenado en ArcGIS Server Manager versión 10.8.1 y por debajo, podría permitir a un atacante remoto no autenticado pasar y almacenar cadenas maliciosas en la aplicación ArcGIS Server Manager • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29099 – There is a SQL injection vulnerability in ArcGIS Server
https://notcve.org/view.php?id=CVE-2021-29099
07 Jun 2021 — A SQL injection vulnerability exists in some configurations of ArcGIS Server versions 10.8.1 and earlier. Specially crafted web requests can expose information that is not intended to be disclosed (not customer datasets). Web Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this issue. Se presenta una vulnerabilidad de inyección SQL en algunas configuraciones de ArcGIS Server versiones 10.8.1 y anteriores. Unas peticiones web especialmente... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/security-advisory-e21-03-server-sql • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.6EPSS: 1%CPEs: 1EXPL: 0CVE-2021-29101 – ArcGIS GeoEvent Server has a Directory Traversal security vulnerability.
https://notcve.org/view.php?id=CVE-2021-29101
05 May 2021 — ArcGIS GeoEvent Server versions 10.8.1 and below has a read-only directory path traversal vulnerability that could allow an unauthenticated, remote attacker to perform directory traversal attacks and read arbitrary files on the system. ArcGIS GeoEvent Server versiones 10.8.1 y anteriores, presenta una vulnerabilidad de salto de ruta de directorio de solo lectura que podría permitir a un atacante remoto no autenticado llevar a cabo ataques de salto de directorio y leer archivos arbitrarios en el sistema • https://www.esri.com/arcgis-blog/products/ext-server-geoevent/administration/arcgis-geoevent-server-security-update-2021-patch-1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29095 – ArcGIS Server image service and raster analytics security update: uninitialized pointer
https://notcve.org/view.php?id=CVE-2021-29095
25 Mar 2021 — Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account. Múltiples vulnerabilidades de puntero no inicializado cuando se analiza un archivo especialmente diseñado en Esri ArcGIS Server versiones 10.8.1 (y anteriores), permiten a un atacante autenticado con permisos especializados lograr una ejecución de... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/security-advisory-server-image • CWE-824: Access of Uninitialized Pointer •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29094 – ArcGIS Server image service and raster analytics security update: buffer overflow
https://notcve.org/view.php?id=CVE-2021-29094
25 Mar 2021 — Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account. Múltiples vulnerabilidades de desbordamiento de búfer cuando se analiza un archivo especialmente diseñado en Esri ArcGIS Server versiones 10.8.1 (y anteriores), permiten a un atacante autenticado con permisos especializados lograr una ejecución de códig... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/security-advisory-server-image • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29093 – ArcGIS Server image service and raster analytics security update: use-after-free
https://notcve.org/view.php?id=CVE-2021-29093
25 Mar 2021 — A use-after-free vulnerability when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account. Una vulnerabilidad de uso de la memoria previamente liberada cuando se analiza un archivo especialmente diseñado en Esri ArcGIS Server versiones 10.8.1 (y anteriores), permite a un atacante autenticado con permisos especializados lograr una ejecución de código ar... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/security-advisory-server-image • CWE-416: Use After Free •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2020-35712
https://notcve.org/view.php?id=CVE-2020-35712
25 Dec 2020 — Esri ArcGIS Server before 10.8 is vulnerable to SSRF in some configurations. Esri ArcGIS Server versiones anteriores a 10.8, es susceptible a una vulnerabilidad de tipo SSRF en algunas configuraciones • https://support.esri.com/en/bugs/nimbus/QlVHLTAwMDEyODA2MA== • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2014-9741
https://notcve.org/view.php?id=CVE-2014-9741
08 Jul 2015 — Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Desktop, ArcGIS for Engine, and ArcGIS for Server 10.2.2 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de XSS en ESRI ArcGIS Desktop, ArcGIS Engine, y ArcGIS Server 10.2.2 y anteriores permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de vectores no especificados. • http://blogs.esri.com/esri/arcgis/2014/09/04/arcgis-for-server-security-patch-10-1-sp1-qip-10-2-1-10-2-2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2014-5122 – ArcGIS for Server 10.1.1 XSS / Open Redirect
https://notcve.org/view.php?id=CVE-2014-5122
21 Aug 2014 — Open redirect vulnerability in ESRI ArcGIS for Server 10.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter, related to login. Vulnerabilidad de redirreción abierta en ESRI ArcGIS for Server 10.1.1 permite a atacantes remotos redirigir usuarios hacia sitios web arbitrarios y realizar ataques de phishing a través de un parámetro no especificado, relacionado con el inicio de sesión. ArcGIS for Server version 10.1.1 suffers from cross ... • http://packetstormsecurity.com/files/127959/ArcGIS-For-Server-10.1.1-XSS-Open-Redirect.html •