CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38202 – BUG-000152121 - Directory traversal vulnerability in ArcGIS Server.
https://notcve.org/view.php?id=CVE-2022-38202
28 Dec 2022 — There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote, unauthenticated attacker traverse the file system to access files outside of the intended directory on ArcGIS Server. This could lead to the disclosure of sensitive site configuration information (not user datasets). Existe una vulnerabilidad de path traversal en las versiones 10.9.1 y anteriores de Esri ArcGIS Server. La explotación exitosa puede permitir que un atacante remo... • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2022-update-2-patch-is-now-available • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38195 – BUG-000150540 - Reflected XSS vulnerability in ArcGIS Server
https://notcve.org/view.php?id=CVE-2022-38195
25 Oct 2022 — There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthorized attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. Se presenta un problema de tipo cross site scripting reflejado en Esri ArcGIS Server versiones 10.9.1 y posteriores, que puede permitir a un atacante remoto no autorizado convencer a un usuario de que haga clic en un enlace diseñado q... • https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38196 – BUG-000150537 - ArcGIS Server has a local file inclusion (LFI) vulnerability
https://notcve.org/view.php?id=CVE-2022-38196
25 Oct 2022 — Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory. Esri ArcGIS Server versiones 10.9.1 y anteriores, presentan una vulnerabilidad de salto de ruta que puede resultar en una denegación de servicio al permitir que un atacante remoto y autenticado sobrescriba el directorio interno de ArcGIS Server • https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38197 – BUG-000148347 Unvalidated redirect issues in ArcGIS Server.
https://notcve.org/view.php?id=CVE-2022-38197
25 Oct 2022 — Esri ArcGIS Server versions 10.9.1 and below have an unvalidated redirect issue that may allow a remote, unauthenticated attacker to phish a user into accessing an attacker controlled website via a crafted query parameter. Esri ArcGIS Server versiones 10.9.1 y posteriores de Esri ArcGIS Server presentan un problema de redireccionamiento no comprobado que puede permitir a un atacante remoto no autenticado engañar a un usuario para que acceda a un sitio web controlado por un atacante por medio de un parámetro... • https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38198 – BUG-000146513 - Reflected XSS vulnerability in ArcGIS Server
https://notcve.org/view.php?id=CVE-2022-38198
25 Oct 2022 — There is a reflected cross site scripting issue in the Esri ArcGIS Server services directory versions 10.9.1 and below that may allow a remote, unauthenticated attacker to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. Se presenta un problema de tipo cross site scripting reflejado en el directorio de servicios de Esri ArcGIS Server versiones 10.9.1 y anteriores, que puede permitir a un atacante remoto no autenticado convencer a u... • https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29114 – SQL injection vulnerability in ArcGIS Server
https://notcve.org/view.php?id=CVE-2021-29114
07 Dec 2021 — A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries. Una vulnerabilidad de inyección SQL en los servicios de características proporcionados por Esri ArcGIS Server versión 10.9 y anteriores, permite a un atacante remoto no autenticado afectar a la confidencialidad, integridad y disponibilidad de los servicios obje... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29113 – Remote file inclusion vulnerability in ArcGIS Server help documentation
https://notcve.org/view.php?id=CVE-2021-29113
07 Dec 2021 — A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page. Una vulnerabilidad de inclusión de archivos remotos en la documentación de ayuda de ArcGIS Server puede permitir a un atacante remoto no autenticado inyectar en una página el html suministrado por el atacante • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29104 – There is a stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below.
https://notcve.org/view.php?id=CVE-2021-29104
11 Jul 2021 — A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application. Una vulnerabilidad de tipo Cross Site Scripting (XXS) almacenado en ArcGIS Server Services Directory versión 10.8.1 y por debajo podrían permitir a un atacante remoto no autenticado pasar y almacenar cadenas maliciosas en ArcGIS Services Directory • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29102 – There is a Server-Side Request Forgery (SSRF) vulnerability in Esri ArcGIS Server Manager version 10.8.1 and below.
https://notcve.org/view.php?id=CVE-2021-29102
11 Jul 2021 — A Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote, unauthenticated attacker to forge GET requests to arbitrary URLs from the system, potentially leading to network enumeration or facilitating other attacks. Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en ArcGIS Server Manager versión 10.8.1 y por debajo, podría permitir a un atacante remoto, no autenticado falsificar las peticiones GET para URL arbitrarias del sistema, co... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-1-patch • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29103 – There is a reflected Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and below.
https://notcve.org/view.php?id=CVE-2021-29103
11 Jul 2021 — A reflected Cross Site Scripting (XXS) vulnerability in ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser. Una vulnerabilidad de tipo Cross Site Scripting (XXS) reflejado en ArcGIS Server Services Directory versión 10.8.1 y por debajo podrían permitir a un atacante remoto convencer a un usuario en hacer clic en un enlace diseñado, el cual podría ejecutar potenci... • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-1-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •