BUG
ArcGIS Server Format Parameter Cross-Site Scripting (XSS) Vulnerability
Description
A cross-site scripting (XSS) vulnerability has been identified in the ArcGIS Server REST API. The defect manifests itself when an ArcGIS REST Service request includes a malformed ‘f’ parameter (format).
The malformed format parameter is echoed back to the end user's browser without filtering. Successful exploitation of this vulnerability allows remote attackers to inject arbitrary Web scripts or HTML by way of the query string.
Note: This article pertains to ArcGIS versions 9.x only. Later versions of ArcGIS may contain different functionality, as well as different names and locations for menus, commands and geoprocessing tools.
The following products are affected:
- ArcGIS Server 9.3 and 9.3.1 .NET
- ArcGIS Server 9.3 and 9.3.1 Java
Esri has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS) below, which indicates overall low to medium risk for this issue. Further information on this scoring system may be found at: Common Vulnerability Scoring System.
CVSS Ratings
Base Score: 2.6
Access Vector: Network
Access Complexity: High
Authentication: None required
Exploitability Score: 4.9
Confidentiality: None
Availability: None
Impact Score: 2.9
Confidentiality: None
Integrity: Partial
Availability: None
Cause
- The ESRI Security Team is not aware of any malicious exploitation of this vulnerability.
- This vulnerability was discovered during Web Application Security scanning.
Workaround
This vulnerability was addressed in ArcGIS Server 9.3.1 SP1.
Article ID: 000010763
- ArcGIS Server
Receive notifications and find solutions for new or common issues
Get summarized answers and video solutions from our new AI chatbot.
Related Information
Discover more on this topic
Search for related information
Find training related to this topic
Explore ideas and give feedback
Get help from ArcGIS experts
Download the Esri Support App