CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-2538 – BUG-000174336
https://notcve.org/view.php?id=CVE-2025-2538
20 Mar 2025 — A specific type of ArcGIS Enterprise deployment, is vulnerable to a Password Recovery Exploitation vulnerability in Portal, that could allow an attacker to reset the password on the built in admin account. A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote authenticated attacker to gain administrative access to the system. A specific type of ArcGIS Enterprise deployment is vulnerable to a Password Recovery E... • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2025-update-1-patch • CWE-798: Use of Hard-coded Credentials •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-51966 – Directory traversal vulnerability in ArcGIS Server
https://notcve.org/view.php?id=CVE-2024-51966
03 Mar 2025 — There is a path traversal vulnerability in ESRI ArcGIS Server versions 10.9.1 thru 11.3. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-51963 – Stored XSS in ArcGIS Server Manager
https://notcve.org/view.php?id=CVE-2024-51963
03 Mar 2025 — There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 4EXPL: 0CVE-2024-51962 – SQL injection vulnerability in ArcGIS Server
https://notcve.org/view.php?id=CVE-2024-51962
03 Mar 2025 — A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify Column properties allowing for the execution of a SQL Injection by a remote authenticated user with elevated (non admin) privileges. There is a high impact to integrity and confidentiality and no impact to availability. A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify Column properties allowing for the execution of a SQL Injection by a remote authenticated user with elevated (non admin) privile... • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-51961 – Local file inclusion (LFI) vulnerability in ArcGIS Server
https://notcve.org/view.php?id=CVE-2024-51961
03 Mar 2025 — There is a local file inclusion vulnerability in ArcGIS Server 10.9.1 thru 11.3 that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server. Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch • CWE-73: External Control of File Name or Path •
CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-51960 – Stored XSS in ArcGIS Server Administrator Directory
https://notcve.org/view.php?id=CVE-2024-51960
03 Mar 2025 — There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-51959 – Stored XSS issue in Server Admin API
https://notcve.org/view.php?id=CVE-2024-51959
03 Mar 2025 — There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-51958 – Directory traversal vulnerability in the admin api for service thumbnails
https://notcve.org/view.php?id=CVE-2024-51958
03 Mar 2025 — There is a path traversal vulnerability in ESRI ArcGIS Server versions 10.9.1 thru 11.3. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-51957 – Stored XSS vulnerability in ArcGIS Rest Services Directory
https://notcve.org/view.php?id=CVE-2024-51957
03 Mar 2025 — There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-51956 – Stored XSS vulnerability in ArcGIS Server Administrator Directory
https://notcve.org/view.php?id=CVE-2024-51956
03 Mar 2025 — There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •