Esri
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Esri product.
RSS Feeds for Esri security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Esri products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Esri Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 1 vulnerability in Esri with an average score of 5.0 out of ten. Last year, in 2025 Esri had 48 security vulnerabilities published. Right now, Esri is on track to have less security vulnerabilities in 2026 than it did last year. Last year, the average CVE base score was greater by 0.73
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 5.00 |
| 2025 | 48 | 5.73 |
| 2024 | 25 | 5.87 |
| 2023 | 13 | 6.34 |
| 2022 | 31 | 6.52 |
| 2021 | 23 | 6.73 |
| 2020 | 0 | 0.00 |
| 2019 | 1 | 5.40 |
It may take a day or so for new Esri vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Esri Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-1446 | Jan 26, 2026 |
CrossSite XSS in Esri ArcGIS Pro 3.6.0 or earlier Local user onlyThere is a CrossSite Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1. |
Arcgis Pro
|
| CVE-2025-67711 | Dec 31, 2025 |
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and LinuxThere is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victims browser. |
Arcgis Server
|
| CVE-2025-67710 | Dec 31, 2025 |
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and LinuxThere is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victims browser. |
Arcgis Server
|
| CVE-2025-67709 | Dec 31, 2025 |
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and LinuxThere is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victims browser. |
Arcgis Server
|
| CVE-2025-67708 | Dec 31, 2025 |
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and LinuxThere is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victims browser. |
Arcgis Server
|
| CVE-2025-67707 | Dec 31, 2025 |
ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded filesArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the servers designated upload directories. However, the servers architecture enforces controls that restrict uploaded files to nonexecutable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or maninthemiddle conditions are required for exploitation. |
Arcgis Server
|
| CVE-2025-67706 | Dec 31, 2025 |
ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded filesArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the servers designated upload directories. However, the servers architecture enforces controls that restrict uploaded files to nonexecutable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or maninthemiddle conditions are required for exploitation. |
Arcgis Server
|
| CVE-2025-67705 | Dec 31, 2025 |
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and LinuxThere is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victims browser. |
Arcgis Server
|
| CVE-2025-67704 | Dec 31, 2025 |
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and LinuxThere is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victims browser. |
Arcgis Server
|
| CVE-2025-67703 | Dec 31, 2025 |
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and LinuxThere is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victims browser. |
Arcgis Server
|
| CVE-2025-67712 | Dec 19, 2025 |
HTML Injection via Unsanitized Input in Esri ArcGIS WB Dev Ed <2.30There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim's browser. There is no evidence of JavaScript execution, which limits the impact. At the time of submission, ArcGIS Web App Builder developer edition is retired and unsupported. ArcGIS Web App Builder 2.30 is not susceptible to this vulnerability. |
Arcgis
|
| CVE-2025-57870 | Oct 22, 2025 |
SQL Injection in Esri ArcGIS Server 11.311.5 via Feature ServiceA SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase. |
Arcgis Server
|
| CVE-2025-57871 | Sep 29, 2025 |
Reflected XSS Remote Auth Admin Exec in Esri Portal for ArcGIS <=11.4There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. |
Portal For Arcgis
|
| CVE-2025-57872 | Sep 29, 2025 |
Unvalidated Redirect in Esri Portal for ArcGIS <=11.4 (Remote)There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks. |
Portal For Arcgis
|
| CVE-2025-57873 | Sep 29, 2025 |
Reflected XSS in Esri Portal for ArcGIS 11.4 & below via admin supplied stringThere is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. |
Portal For Arcgis
|
| CVE-2025-57874 | Sep 29, 2025 |
Reflected XSS in Esri Portal ArcGIS 11.4 via Admin JSThere is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. |
Portal For Arcgis
|
| CVE-2025-57875 | Sep 29, 2025 |
Reflected XSS in Esri Portal for ArcGIS <=11.4 (Admin Only)There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. |
Portal For Arcgis
|
| CVE-2025-57877 | Sep 29, 2025 |
Esri Portal for ArcGIS 11.4- Reflected XSS allows admin JS executionThere is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. |
Portal For Arcgis
|
| CVE-2025-57878 | Sep 29, 2025 |
Unvalidated Redirect in Esri Portal for ArcGIS 11.4 and earlierThere is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks. |
Portal For Arcgis
|
| CVE-2025-57879 | Sep 29, 2025 |
Esri Portal for ArcGIS <11.4 Unvalidated Redirect Enables PhishingThere is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks. |
Portal For Arcgis
|
| CVE-2025-57876 | Sep 29, 2025 |
Esri Portal for ArcGIS 11.4 Stored XSS via Malicious File UploadThere is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. |
Portal For Arcgis
|
| CVE-2025-55107 | Aug 21, 2025 |
Esri Portal for ArcGIS Enterprise Sites XSS in File Upload (v10.9.1/11.4)There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. |
Arcgis
|
| CVE-2025-4967 | May 29, 2025 |
ArcGIS Portal 11.4 SSRF Bypass via SSRF protections (CVE-2025-4967)Esri Portal for ArcGIS 11.4 and prior allows a remote, unauthenticated attacker to bypass the Portals SSRF protections. |
Portal For Arcgis
|
| CVE-2025-2538 | Mar 20, 2025 |
Esri Portal for ArcGIS <=11.4: Hardcoded Credential EscalationA hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system. |
Portal For Arcgis
|
| CVE-2024-51956 | Mar 03, 2025 |
CVE-2024-51956: Stored XSS in ArcGIS Server <11.3 via crafted linkThere is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-51957 | Mar 03, 2025 |
Stored XSS in ArcGIS Server <11.3 (publisher intent)There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-51958 | Mar 03, 2025 |
Path Traversal in ESRI ArcGIS Server <11.3: Remote Auth Admin Affects ConfidentialityThere is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality. |
Arcgis Server
|
| CVE-2024-51959 | Mar 03, 2025 |
Stored XSS via crafted link in Esri ArcGIS Server 11.3 and earlierThere is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-51960 | Mar 03, 2025 |
ArcGIS Server <=11.3 XSS: Auth Publisher can run JSThere is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-51961 | Mar 03, 2025 |
ArcGIS Server <=11.3 LFI Allows Unauth Remote File DisclosureThere is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server. Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability. |
Arcgis Server
|
| CVE-2024-51962 | Mar 03, 2025 |
ArcGIS Server SQLi via EDIT Column Property MutationA SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, nonadministrative privileges. Exploitation is restricted to users with advanced applicationspecific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability. |
Arcgis Server
|
| CVE-2024-51963 | Mar 03, 2025 |
ArcGIS Server 11.3+ XSS Vulnerability (CVE-2024-51963)There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and follow that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-51966 | Mar 03, 2025 |
ESRI ArcGIS Server <11.3 Path Traversal, Remote Auth Admin AccessThere is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality. |
Arcgis Server
|
| CVE-2024-5888 | Mar 03, 2025 |
ArcGIS Server 11.3 XSS via Stored Link (Publisher Capabilities)There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-10904 | Mar 03, 2025 |
ArcGIS Server <=11.3 Authenticated XSS via crafted linkThere is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-51942 | Mar 03, 2025 |
ArcGIS Server <=11.3 Stored XSS via crafted linkThere is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-51944 | Mar 03, 2025 |
Stored XSS in ArcGIS Server 11.3 and below (link component) – EsriThere is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-51954 | Mar 03, 2025 |
ArcGIS Server Improper Access Control: 11.3 & prior (Win/Linux)There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote, lowprivileged authenticated attacker to access secure services published to a standalone (unfederated) ArcGIS Server instance. Successful exploitation results in unauthorized access to protected services outside the attackers originally assigned authorization boundary, constituting a scope change. If exploited, this issue would have a high impact on confidentiality, a low impact on integrity, and no impact on the availability of the software. |
Arcgis Server
|
| CVE-2024-51953 | Mar 03, 2025 |
Stored XSS in ArcGIS Server <=11.3 via crafted link (publisher creds)There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-51952 | Mar 03, 2025 |
Stored XSS in Esri ArcGIS Server 11.3 via Authenticated PublisherThere is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-51951 | Mar 03, 2025 |
Stored XSS in ArcGIS Server <11.3 via crafted link (publisher auth)There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-51950 | Mar 03, 2025 |
Stored XSS in ArcGIS Server <11.3 Allows Authenticated Remote ExecThere is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-51949 | Mar 03, 2025 |
Stored XSS in ArcGIS Server <=11.3 via crafted linkThere is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-51948 | Mar 03, 2025 |
ArcGIS Server <11.3 Stored XSS via Crafted LinkThere is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-51947 | Mar 03, 2025 |
ArcGIS Server <=11.3 XSS via stored craft link in Web UI (pub role)There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-51946 | Mar 03, 2025 |
ArcGIS Server <=11.3 stored XSS via crafted link (publisher auth)There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2024-51945 | Mar 03, 2025 |
ArcGIS Server <11.3 Stored XSS via Crafted Link (High Privileges)There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. |
Arcgis Server
|
| CVE-2025-1067 | Feb 25, 2025 |
Untrusted Search Path Exec in Esri ArcGIS Pro 3.3/3.4 (fixed 3.3.3/3.4.1)There is an untrusted search path vulnerability in Esri ArcGIS Pro 3.3 and 3.4 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS ArcGIS Pro, the file could execute and run malicious commands under the context of the victim. This issue is addressed in ArcGIS Pro 3.3.3 and 3.4.1. |
Arcgis Allsource
Arcgis Pro
|
| CVE-2025-1068 | Feb 25, 2025 |
ArcGIS AllSource <1.2.1: Untrusted Search Path Exec VulnerabilityThere is an untrusted search path vulnerability in Esri ArcGIS AllSource 1.2 and 1.3 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS AllSource, the file could execute and run malicious commands under the context of the victim. This issue is corrected in ArcGIS AllSource 1.2.1 and 1.3.1. |
Arcgis Allsource
Arcgis Pro
|
| CVE-2024-38039 | Oct 04, 2024 |
Esri Portal for ArcGIS <=11.0: HTML Injection via crafted linkThere is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victims browser (no stateful change made or customer data rendered). |
Portal For Arcgis
|