ArcGIS Server Format Parameter Cross-Site Scripting (XSS) Vulnerability

Last Published: January 6, 2021


A cross-site scripting (XSS) vulnerability has been identified in the ArcGIS Server REST API. The defect manifests itself when an ArcGIS REST Service request includes a malformed ‘f’ parameter (format).

The malformed format parameter is echoed back to the end user's browser without filtering. Successful exploitation of this vulnerability allows remote attackers to inject arbitrary Web scripts or HTML by way of the query string.

This article pertains to ArcGIS versions 9.x only. Later versions of ArcGIS may contain different functionality, as well as different names and locations for menus, commands and geoprocessing tools.

The following products are affected:

  • ArcGIS Server 9.3 and 9.3.1 .NET
  • ArcGIS Server 9.3 and 9.3.1 Java

Esri has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS) below, which indicates overall low to medium risk for this issue. Further information on this scoring system may be found at: Common Vulnerability Scoring System.

CVSS Ratings
Base Score: 2.6
Access Vector: Network
Access Complexity: High
Authentication: None required

Exploitability Score: 4.9
Confidentiality: None
Availability: None

Impact Score: 2.9
Confidentiality: None
Integrity: Partial
Availability: None


  • The ESRI Security Team is not aware of any malicious exploitation of this vulnerability.
  • This vulnerability was discovered during Web Application Security scanning.


This vulnerability was addressed in ArcGIS Server 9.3.1 SP1.

Article ID:000010763

  • ArcGIS Server

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options

Related Information

Discover more on this topic