BUG

ArcGIS Server has reflective cross-site scripting and open redirect vulnerabilities

Last Published: April 25, 2020

Description

ArcGIS for Server versions 9.2 through 10.2.2 have reflective cross-site scripting (XSS) and open redirect vulnerabilities. Esri is planning to release a patch for these low to moderate risk vulnerabilities. Details for these issues are listed below.

CVE-2014-5121 - Cross-Site Scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML (CWE-79, CVSS 4.3)
• NIM104624 - general XSS vulnerabilities
• BUG-000080898 - geocode service XSS vulnerabilities

CVE-2014-5122 - Open redirect vulnerability allows remote attackers to redirect users to arbitrary web sites (CWE-601, CVSS 5.8)
• BUG-000081239 - URL redirection to untrusted site (Open-Redirect)
The risk level of vulnerability for CVE-2014-5122 is reduced with ArcGIS 10.1 SP1 and above because of added filtering protection.

Cause

See the Description section, above.

Workaround

A patch from Esri is coming soon to address these issues.

Suggested mitigations, which are best practices for secure production systems, include:
• Disabling the ArcGIS Server Services Directory
• Utilizing web application firewalls / filtering

Esri will provide status updates through this KB.

    Article ID:000012163

    Software:
    • ArcGIS Server

    Get help from ArcGIS experts

    Contact technical support

    Download the Esri Support App

    Go to download options

    Discover more on this topic

    Esri Community

    Search for related information

    Training

    Find training related to this topic

    ArcGIS Ideas

    Explore ideas and give feedback