CVE-2022-38186
https://notcve.org/view.php?id=CVE-2022-38186
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. Se presenta una vulnerabilidad de tipo XSS reflejado en Esri Portal for ArcGIS versiones 10.8.1 y anteriores, que puede permitir a un atacante remoto convencer a un usuario de que haga clic en un enlace diseñado que podría ejecutar código JavaScript arbitrario en el navegador de la víctima. • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-29110 – Stored cross-site scripting (XSS) issue in Esri Portal for ArcGIS may allow a remote unauthenticated attacker to pass and store malicious strings in the home application.
https://notcve.org/view.php?id=CVE-2021-29110
Stored cross-site scripting (XSS) issue in Esri Portal for ArcGIS may allow a remote unauthenticated attacker to pass and store malicious strings in the home application. Un problema de tipo cross-site scripting (XSS) almacenado en Esri Portal for ArcGIS puede permitir a un atacante remoto no autenticado pasar y almacenar cadenas maliciosas en la aplicación de inicio • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/Portal-for-ArcGIS-Security-2021-Update-1-Patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-29109 – A reflected XSS vulnerability in Esri Portal for ArcGIS version 10.9.
https://notcve.org/view.php?id=CVE-2021-29109
A reflected XSS vulnerability in Esri Portal for ArcGIS version 10.9 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser. Una vulnerabilidad de tipo XSS reflejado en Esri Portal for ArcGIS versión 10.9 y por debajo, puede permitir a un atacante remoto convencer a un usuario de que hacer clic en un enlace diseñado que podría ejecutar código JavaScript arbitrario en el navegador del usuario • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/Portal-for-ArcGIS-Security-2021-Update-1-Patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-29108 – There is an privilege escalation vulnerability in organization-specific logins in Esri Portal for ArcGIS versions 10.9 and below.
https://notcve.org/view.php?id=CVE-2021-29108
There is an privilege escalation vulnerability in organization-specific logins in Esri Portal for ArcGIS versions 10.9 and below that may allow a remote, authenticated attacker who is able to intercept and modify a SAML assertion to impersonate another account (XML Signature Wrapping Attack). In addition patching, Esri also strongly recommends as best practice for SAML assertions to be signed and encrypted. Existe una vulnerabilidad de escalada de privilegios en los inicios de sesión específicos de la organización en Esri Portal for ArcGIS versiones 10.9 y anteriores que puede permitir que un atacante remoto autenticado que pueda interceptar y modificar una aserción SAML suplante a otra cuenta (XML Signature Wrapping Attack). Además de la aplicación de parches, Esri también recomienda encarecidamente como práctica recomendada que las aserciones SAML estén firmadas y cifradas. • https://downloads.esri.com/RESOURCES/ENTERPRISEGIS/Organization-Specific_Logins_FAQs.pdf https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/Portal-for-ArcGIS-Security-2021-Update-1-Patch • CWE-347: Improper Verification of Cryptographic Signature •