ArcGIS Server has reflective cross-site scripting and open redirect vulnerabilities

Last Published: April 25, 2020


ArcGIS for Server versions 9.2 through 10.2.2 have reflective cross-site scripting (XSS) and open redirect vulnerabilities. Esri is planning to release a patch for these low to moderate risk vulnerabilities. Details for these issues are listed below.

CVE-2014-5121 - Cross-Site Scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML (CWE-79, CVSS 4.3)
• NIM104624 - general XSS vulnerabilities
• BUG-000080898 - geocode service XSS vulnerabilities

CVE-2014-5122 - Open redirect vulnerability allows remote attackers to redirect users to arbitrary web sites (CWE-601, CVSS 5.8)
• BUG-000081239 - URL redirection to untrusted site (Open-Redirect)
The risk level of vulnerability for CVE-2014-5122 is reduced with ArcGIS 10.1 SP1 and above because of added filtering protection.


See the Description section, above.


A patch from Esri is coming soon to address these issues.

Suggested mitigations, which are best practices for secure production systems, include:
• Disabling the ArcGIS Server Services Directory
• Utilizing web application firewalls / filtering

Esri will provide status updates through this KB.

    Article ID:000012163

    • ArcGIS Server

    Receive notifications and find solutions for new or common issues

    Get summarized answers and video solutions from our new AI chatbot.

    Download the Esri Support App

    Discover more on this topic

    Get help from ArcGIS experts

    Contact technical support

    Download the Esri Support App

    Go to download options