CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38201 – An unvalidated redirect vulnerability exists in Esri ArcGIS Quick Capture Web Designer versions 10.8.1 to 10.9.1.
https://notcve.org/view.php?id=CVE-2022-38201
An unvalidated redirect vulnerability exists in Esri Portal for ArcGIS Quick Capture Web Designer versions 10.8.1 to 10.9.1. A remote, unauthenticated attacker can potentially induce an unsuspecting authenticated user to access an an attacker controlled domain. Existe una vulnerabilidad de redireccionamiento no validada en Esri Portal for ArcGIS Quick Capture Web Designer versiones 10.8.1 a 10.9.1. Un atacante remoto y no autenticado puede potencialmente inducir a un usuario autenticado desprevenido a acceder a un dominio controlado por un atacante. • https://www.esri.com/arcgis-blog/products/product/uncategorized/portal-for-arcgis-quick-capture-security-patch-is-now-available • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38195 – BUG-000150540 - Reflected XSS vulnerability in ArcGIS Server
https://notcve.org/view.php?id=CVE-2022-38195
There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthorized attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. Se presenta un problema de tipo cross site scripting reflejado en Esri ArcGIS Server versiones 10.9.1 y posteriores, que puede permitir a un atacante remoto no autorizado convencer a un usuario de que haga clic en un enlace diseñado que podría ejecutar código JavaScript arbitrario en el navegador de la víctima • https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38196 – BUG-000150537 - ArcGIS Server has a local file inclusion (LFI) vulnerability
https://notcve.org/view.php?id=CVE-2022-38196
Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory. Esri ArcGIS Server versiones 10.9.1 y anteriores, presentan una vulnerabilidad de salto de ruta que puede resultar en una denegación de servicio al permitir que un atacante remoto y autenticado sobrescriba el directorio interno de ArcGIS Server • https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38197 – BUG-000148347 Unvalidated redirect issues in ArcGIS Server.
https://notcve.org/view.php?id=CVE-2022-38197
Esri ArcGIS Server versions 10.9.1 and below have an unvalidated redirect issue that may allow a remote, unauthenticated attacker to phish a user into accessing an attacker controlled website via a crafted query parameter. Esri ArcGIS Server versiones 10.9.1 y posteriores de Esri ArcGIS Server presentan un problema de redireccionamiento no comprobado que puede permitir a un atacante remoto no autenticado engañar a un usuario para que acceda a un sitio web controlado por un atacante por medio de un parámetro de consulta diseñado • https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38198 – BUG-000146513 - Reflected XSS vulnerability in ArcGIS Server
https://notcve.org/view.php?id=CVE-2022-38198
There is a reflected cross site scripting issue in the Esri ArcGIS Server services directory versions 10.9.1 and below that may allow a remote, unauthenticated attacker to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. Se presenta un problema de tipo cross site scripting reflejado en el directorio de servicios de Esri ArcGIS Server versiones 10.9.1 y anteriores, que puede permitir a un atacante remoto no autenticado convencer a un usuario de que haga clic en un enlace diseñado que podría ejecutar código JavaScript arbitrario en el navegador de la víctima • https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •