CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38192 – There is a stored cross-site scripting (XSS) vulnerability in ArcGIS API for JavaScript.
https://notcve.org/view.php?id=CVE-2022-38192
16 Aug 2022 — A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser. Una vulnerabilidad de tipo Cross Site Scripting (XSS) almacenado en Esri Portal para ArcGIS puede permitir a un atacante remoto y autenticado pasar y almacenar cadenas maliciosas por medio de consultas diseñadas que, cuando es accedido a ella... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2022-38193 – Code injection issue in Portal for ArcGIS (10.7.1 and 10.8.1)
https://notcve.org/view.php?id=CVE-2022-38193
16 Aug 2022 — There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution. Existe una vulnerabilidad de inyección de código en Esri Portal for ArcGIS versiones 10.8.1 e inferiores que puede permitir a un atacante remoto no autentificado pasar cadenas que podrían causar la ejecución de código arbitrario • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38194 – Portal for ArcGIS system properties are not properly encrypted (10.8.1 only)
https://notcve.org/view.php?id=CVE-2022-38194
16 Aug 2022 — In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file. En Esri Portal para ArcGIS versiones 10.8.1, una propiedad del sistema no está correctamente cifrada. Esto puede conllevar a que un usuario local lea información sensible de un archivo de propiedades. • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38191 – HTML injection vulnerability in Portal for ArcGIS
https://notcve.org/view.php?id=CVE-2022-38191
15 Aug 2022 — There is an HTML injection issue in Esri Portal for ArcGIS versions 10.9.0 and below which may allow a remote, authenticated attacker to inject HTML into some locations in the home application. Se presenta un problema de inyección de HTML en Esri Portal for ArcGIS versiones 10.9.0 y anteriores, que puede permitir a un atacante remoto y autenticado inyectar HTML en algunas ubicaciones de la aplicación de inicio. • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38187 – Prevent access to sharing/rest/content/features/analyze to unauthorized users
https://notcve.org/view.php?id=CVE-2022-38187
15 Aug 2022 — Prior to version 10.9.0, the sharing/rest/content/features/analyze endpoint is always accessible to anonymous users, which could allow an unauthenticated attacker to induce Esri Portal for ArcGIS to read arbitrary URLs. En versiones anteriores a 10.9.0, el endpoint sharing/rest/content/features/analyze es siempre accesible para usuarios anónimos, lo que podría permitir a un atacante no autenticado inducir a Esri Portal for ArcGIS a leer URLs arbitrarias. • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38188
https://notcve.org/view.php?id=CVE-2022-38188
15 Aug 2022 — There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. Se presenta una vulnerabilidad de tipo XSS reflejado en Esri Portal for ArcGIS versiones 10.9.1, que puede permitir a un atacante remoto convencer a un usuario de que haga clic en un enlace diseñado que podría ejecutar código JavaScript arbitrario en el navegador... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38190 – Stored cross-site scripting vulnerability in Esri Portal for ArcGIS Configurable Apps
https://notcve.org/view.php?id=CVE-2022-38190
15 Aug 2022 — A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS configurable apps may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser Una vulnerabilidad de tipo Cross Site Scripting (XSS) almacenado en las aplicaciones configurables de Esri Portal for ArcGIS puede permitir a un atacante remoto no autenticado pasar y almacenar cadenas maliciosas por medio ... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38186
https://notcve.org/view.php?id=CVE-2022-38186
15 Aug 2022 — There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. Se presenta una vulnerabilidad de tipo XSS reflejado en Esri Portal for ArcGIS versiones 10.8.1 y anteriores, que puede permitir a un atacante remoto convencer a un usuario de que haga clic en un enlace diseñado que podría ejecutar código JavaScript arb... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29110 – Stored cross-site scripting (XSS) issue in Esri Portal for ArcGIS may allow a remote unauthenticated attacker to pass and store malicious strings in the home application.
https://notcve.org/view.php?id=CVE-2021-29110
01 Oct 2021 — Stored cross-site scripting (XSS) issue in Esri Portal for ArcGIS may allow a remote unauthenticated attacker to pass and store malicious strings in the home application. Un problema de tipo cross-site scripting (XSS) almacenado en Esri Portal for ArcGIS puede permitir a un atacante remoto no autenticado pasar y almacenar cadenas maliciosas en la aplicación de inicio • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/Portal-for-ArcGIS-Security-2021-Update-1-Patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29109 – A reflected XSS vulnerability in Esri Portal for ArcGIS version 10.9.
https://notcve.org/view.php?id=CVE-2021-29109
01 Oct 2021 — A reflected XSS vulnerability in Esri Portal for ArcGIS version 10.9 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser. Una vulnerabilidad de tipo XSS reflejado en Esri Portal for ArcGIS versión 10.9 y por debajo, puede permitir a un atacante remoto convencer a un usuario de que hacer clic en un enlace diseñado que podría ejecutar código JavaScript arbitrario en el navegador del usuario • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/Portal-for-ArcGIS-Security-2021-Update-1-Patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •