Esri Arcgis Server

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux
CVE-2025-67711 6.1 - Medium - December 31, 2025

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victims browser.

XSS

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux
CVE-2025-67710 6.1 - Medium - December 31, 2025

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victims browser.

XSS

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux
CVE-2025-67709 6.1 - Medium - December 31, 2025

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victims browser.

XSS

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux
CVE-2025-67708 6.1 - Medium - December 31, 2025

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victims browser.

XSS

ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files
CVE-2025-67707 5.6 - Medium - December 31, 2025

ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the servers designated upload directories. However, the servers architecture enforces controls that restrict uploaded files to nonexecutable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or maninthemiddle conditions are required for exploitation.

Unrestricted File Upload

ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files
CVE-2025-67706 5.6 - Medium - December 31, 2025

ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the servers designated upload directories. However, the servers architecture enforces controls that restrict uploaded files to nonexecutable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or maninthemiddle conditions are required for exploitation.

Unrestricted File Upload

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux
CVE-2025-67705 6.1 - Medium - December 31, 2025

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victims browser.

XSS

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux
CVE-2025-67704 6.1 - Medium - December 31, 2025

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victims browser.

XSS

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux
CVE-2025-67703 6.1 - Medium - December 31, 2025

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victims browser.

XSS

SQL Injection in Esri ArcGIS Server 11.311.5 via Feature Service
CVE-2025-57870 10 - Critical - October 22, 2025

A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.

SQL Injection

ArcGIS Server <=11.3 Authenticated XSS via crafted link
CVE-2024-10904 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

ArcGIS Server <=11.3 Stored XSS via crafted link
CVE-2024-51942 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

ArcGIS Server 11.3 XSS via Stored Link (Publisher Capabilities)
CVE-2024-5888 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

ESRI ArcGIS Server <11.3 Path Traversal, Remote Auth Admin Access
CVE-2024-51966 4.9 - Medium - March 03, 2025

There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality.

Directory traversal

ArcGIS Server 11.3+ XSS Vulnerability (CVE-2024-51963)
CVE-2024-51963 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and follow that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

ArcGIS Server SQLi via EDIT Column Property Mutation
CVE-2024-51962 8.7 - High - March 03, 2025

A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, nonadministrative privileges. Exploitation is restricted to users with advanced applicationspecific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability.

SQL Injection

ArcGIS Server <=11.3 LFI Allows Unauth Remote File Disclosure
CVE-2024-51961 7.5 - High - March 03, 2025

There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server.  Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability.

Externally Controlled Reference to a Resource in Another Sphere

ArcGIS Server <=11.3 XSS: Auth Publisher can run JS
CVE-2024-51960 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

Stored XSS via crafted link in Esri ArcGIS Server 11.3 and earlier
CVE-2024-51959 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

Path Traversal in ESRI ArcGIS Server <11.3: Remote Auth Admin Affects Confidentiality
CVE-2024-51958 4.9 - Medium - March 03, 2025

There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory.  There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality.

Directory traversal

Stored XSS in ArcGIS Server <11.3 (publisher intent)
CVE-2024-51957 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

CVE-2024-51956: Stored XSS in ArcGIS Server <11.3 via crafted link
CVE-2024-51956 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

ArcGIS Server Improper Access Control: 11.3 & prior (Win/Linux)
CVE-2024-51954 8.5 - High - March 03, 2025

There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote, lowprivileged authenticated attacker to access secure services published to a standalone (unfederated) ArcGIS Server instance. Successful exploitation results in unauthorized access to protected services outside the attackers originally assigned authorization boundary, constituting a scope change. If exploited, this issue would have a high impact on confidentiality, a low impact on integrity, and no impact on the availability of the software.

Authorization

Stored XSS in ArcGIS Server <=11.3 via crafted link (publisher creds)
CVE-2024-51953 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

Stored XSS in Esri ArcGIS Server 11.3 via Authenticated Publisher
CVE-2024-51952 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

Stored XSS in ArcGIS Server <11.3 via crafted link (publisher auth)
CVE-2024-51951 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

Stored XSS in ArcGIS Server <11.3 Allows Authenticated Remote Exec
CVE-2024-51950 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

Stored XSS in ArcGIS Server <=11.3 via crafted link
CVE-2024-51949 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

ArcGIS Server <11.3 Stored XSS via Crafted Link
CVE-2024-51948 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

ArcGIS Server <=11.3 XSS via stored craft link in Web UI (pub role)
CVE-2024-51947 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

ArcGIS Server <=11.3 stored XSS via crafted link (publisher auth)
CVE-2024-51946 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

ArcGIS Server <11.3 Stored XSS via Crafted Link (High Privileges)
CVE-2024-51945 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

Stored XSS in ArcGIS Server 11.3 and below (link component) – Esri
CVE-2024-51944 4.8 - Medium - March 03, 2025

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

XSS

ArcGIS Server Auth Config Vulnerability (CVE-2024-37694)
CVE-2024-37694 - June 21, 2024

Rejected reason: This submission has been rejected by the CNA of record. Authentication is user configurable as described in our documentation.     https://enterprise.arcgis.com/en/server/latest/administer/windows/configuring-arcgis-server-security.htm

ArcGIS Enterprise 11.0 Remote Info Disclosure via Malformed Query
CVE-2023-25848 5.3 - Medium - August 25, 2023

ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. The information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.

Cleartext Transmission of Sensitive Information

ArcGIS Server <11.1 Authenticated XSS via Crafted Hover Link
CVE-2023-25840 3.4 - Low - July 21, 2023

There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which onmouseover wont execute but could potentially render an image in the victims browser.  The privileges required to execute this attack are high.

XSS

ArcGIS Server XSS via Feature Services <11.0 (CVE-2023-25841)
CVE-2023-25841 6.1 - Medium - July 21, 2023

There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 11.0 and below on Windows and Linux platforms that may allow a remote, unauthenticated attacker to create crafted content which when clicked could potentially execute arbitrary JavaScript code in the victims browser. Mitigation: Disable anonymous access to ArcGIS Feature services with edit capabilities.

XSS

Esri ArcGIS Server <10.9.1 Path Traversal (CVE-2022-38202)
CVE-2022-38202 7.5 - High - December 28, 2022

There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote, unauthenticated attacker traverse the file system to access files outside of the intended directory on ArcGIS Server. This could lead to the disclosure of sensitive site configuration information (not user datasets).

Directory traversal

ArcGIS Server <10.9.2: Reflected XSS in services dir (CVE-2022-38198)
CVE-2022-38198 6.1 - Medium - October 25, 2022

There is a reflected cross site scripting issue in the Esri ArcGIS Server services directory versions 10.9.1 and below that may allow a remote, unauthenticated attacker to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victims browser.

XSS

ArcGIS Server <=10.9.1: Reflected XSS via crafted link
CVE-2022-38195 6.1 - Medium - October 25, 2022

There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthorized attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victims browser.

XSS

Esri ArcGIS Server Remote Download Allows Unauth Process Launch
CVE-2022-38199 6.1 - Medium - October 25, 2022

A remote file download issue can occur in some capabilities of Esri ArcGIS Server web services that may in some edge cases allow a remote, unauthenticated attacker to induce an unsuspecting victim to launch a process in the victim's PATH environment. Current browsers provide users with warnings against running unsigned executables downloaded from the internet.

Download of Code Without Integrity Check

ArcGIS Server 10.7.1/10.8.1 XSS via map service config requests
CVE-2022-38200 6.1 - Medium - October 25, 2022

A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically crafted web requests can execute arbitrary JavaScript in the context of the victim's browser.

XSS

Esri ArcGIS Server <10.9.1 Path Traversal -> Authenticated DoS
CVE-2022-38196 8.1 - High - October 25, 2022

Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory.

Directory traversal

Esri ArcGIS Server <10.9.1 Unvalidated Redirect
CVE-2022-38197 6.1 - Medium - October 25, 2022

Esri ArcGIS Server versions 10.9.1 and below have an unvalidated redirect issue that may allow a remote, unauthenticated attacker to phish a user into accessing an attacker controlled website via a crafted query parameter.

Open Redirect

A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below
CVE-2021-29114 9.8 - Critical - December 07, 2021

A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries.

SQL Injection

A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server feature services versions 10.8.1 and 10.9 (only) feature services may
CVE-2021-29116 6.1 - Medium - December 07, 2021

A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server feature services versions 10.8.1 and 10.9 (only) feature services may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the users browser.

XSS

A remote file inclusion vulnerability in the ArcGIS Server help documentation may
CVE-2021-29113 4.7 - Medium - December 07, 2021

A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page.

Inclusion of Functionality from Untrusted Control Sphere

A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server Services Directory version 10.8.1 and below may
CVE-2021-29105 5.4 - Medium - July 11, 2021

A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server Services Directory version 10.8.1 and below may allow a remote authenticated attacker to pass and store malicious strings in the ArcGIS Services Directory.

XSS

A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may
CVE-2021-29104 6.1 - Medium - July 11, 2021

A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application.

XSS

A reflected Cross Site Scripting (XXS) vulnerability in ArcGIS Server version 10.8.1 and below may
CVE-2021-29103 6.1 - Medium - July 11, 2021

A reflected Cross Site Scripting (XXS) vulnerability in ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the users browser.

XSS