A cross-site scripting (XSS) vulnerability has been identified in the ArcGIS Server REST API. The defect manifests itself when an ArcGIS REST Service request includes a malformed ‘f’ parameter (format).
The malformed format parameter is echoed back to the end user's browser without filtering. Successful exploitation of this vulnerability allows remote attackers to inject arbitrary Web scripts or HTML by way of the query string.
Note: This article pertains to ArcGIS versions 9.x only. Later versions of ArcGIS may contain different functionality, as well as different names and locations for menus, commands and geoprocessing tools.
The following products are affected:
Esri has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS) below, which indicates overall low to medium risk for this issue. Further information on this scoring system may be found at: Common Vulnerability Scoring System.
Base Score: 2.6
Access Vector: Network
Access Complexity: High
Authentication: None required
Exploitability Score: 4.9
Impact Score: 2.9
This vulnerability was addressed in ArcGIS Server 9.3.1 SP1.