Open redirect vulnerability CVE-2014-5122 in ArcGIS for Server.
Last Published: February 11, 2015ArcGIS for Server
Bug ID Number
February 3, 2015
July 28, 2020
ArcGIS for Server
The bug has been fixed. See the Version Fixed and Additional Information, if applicable, for more information.
ArcGIS for Server versions 9.2 through 10.2.2 have reflective cross-site scripting (XSS) and open redirect vulnerabilities. Esri is planning to release a patch for these low to moderate risk vulnerabilities. Details for these issues are listed below.
CVE-2014-5121 - Cross-Site Scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML (CWE-79, CVSS 4.3) • NIM104624 - general XSS vulnerabilities • BUG-000080898 - geocode service XSS vulnerabilities
CVE-2014-5122 - Open redirect vulnerability allows remote attackers to redirect users to arbitrary web sites (CWE-601, CVSS 5.8) • BUG-000081239 - URL redirection to untrusted site (Open-Redirect) The risk level of vulnerability for CVE-2014-5122 is reduced with ArcGIS 10.1 SP1 and above because of added filtering protection.
See the Description section, above.
A patch from Esri is coming soon to address these issues.
Suggested mitigations, which are best practices for secure production systems, include: • Disabling the ArcGIS Server Services Directory • Utilizing web application firewalls / filtering