ArcGIS for Server allows the upload of executable files. To upload an executable file, the user must be a publisher or administrator of ArcGIS for Server.
An individual or entity with malicious intent could upload .exe files to the ArcGIS for Server machine if they managed to get publisher or administrator access to ArcGIS for Server.
CVE-2013-5221 Inadequate filtering of mobile uploads
Vector:AV:N/AC:M/Au:S/C:P/I:P/A:P Base Score: 6
This vulnerability may be viewed as a standard entry in the Common Vulnerabilities and Exposures list.
Esri thanks the following for working with us to help protect customers:
• Roberto Suggi Liverani of NCIA-NCIRC for reporting this vulnerability.
ArcGIS for Server was not checking one area of the software to ensure that only allowed file types were being uploaded.