laptop and a wrench


Open redirect vulnerability CVE-2014-5122 in ArcGIS for Server.

Last Published: February 11, 2015 ArcGIS for Server
Bug ID Number BUG-000081239
SubmittedFebruary 3, 2015
Last ModifiedJune 5, 2024
Applies toArcGIS for Server
Version found10.2.2
Version Fixed10.3_F


ArcGIS for Server versions 9.2 through 10.2.2 have reflective cross-site scripting (XSS) and open redirect vulnerabilities. Esri is planning to release a patch for these low to moderate risk vulnerabilities. Details for these issues are listed below.

CVE-2014-5121 - Cross-Site Scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML (CWE-79, CVSS 4.3)
• NIM104624 - general XSS vulnerabilities
• BUG-000080898 - geocode service XSS vulnerabilities

CVE-2014-5122 - Open redirect vulnerability allows remote attackers to redirect users to arbitrary web sites (CWE-601, CVSS 5.8)
• BUG-000081239 - URL redirection to untrusted site (Open-Redirect)
The risk level of vulnerability for CVE-2014-5122 is reduced with ArcGIS 10.1 SP1 and above because of added filtering protection.


See the Description section, above.


A patch from Esri is coming soon to address these issues.

Suggested mitigations, which are best practices for secure production systems, include:
• Disabling the ArcGIS Server Services Directory
• Utilizing web application firewalls / filtering

Esri will provide status updates through this KB.

    Steps to Reproduce

    Bug ID: BUG-000081239


    • ArcGIS for Server

    Get notified when the status of a bug changes

    Download the Esri Support App

    Discover more on this topic

    Get help from ArcGIS experts

    Contact technical support

    Download the Esri Support App

    Go to download options