English

Bug: ArcGIS Server has reflective cross-site scripting and open redirect vulnerabilities

Description

ArcGIS for Server versions 9.2 through 10.2.2 have reflective cross-site scripting (XSS) and open redirect vulnerabilities. Esri is planning to release a patch for these low to moderate risk vulnerabilities. Details for these issues are listed below.

CVE-2014-5121 - Cross-Site Scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML (CWE-79, CVSS 4.3)
• NIM104624 - general XSS vulnerabilities
• BUG-000080898 - geocode service XSS vulnerabilities

CVE-2014-5122 - Open redirect vulnerability allows remote attackers to redirect users to arbitrary web sites (CWE-601, CVSS 5.8)
• BUG-000081239 - URL redirection to untrusted site (Open-Redirect)
The risk level of vulnerability for CVE-2014-5122 is reduced with ArcGIS 10.1 SP1 and above because of added filtering protection.

Cause

See the Description section, above.

Workaround

A patch from Esri is coming soon to address these issues.

Suggested mitigations, which are best practices for secure production systems, include:
• Disabling the ArcGIS Server Services Directory
• Utilizing web application firewalls / filtering

Esri will provide status updates through this KB.