NIM092820: Mobile Content Server has a cross-site scripting vulnerability

Last Published: October 20, 2020


The Mobile Content Server in ArcGIS for Server has cross-site scripting vulnerabilities in versions 10.1 SP1 and 10.2. NIM092820 is a persistent cross-site scripting vulnerability in ArcGIS for Server 10.1 and 10.2. The vulnerability is behind authenticated pages.

CVE Reference
CVE-2013-5222 Various XSS Vulnerabilities
Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score 3.5
This vulnerability may be viewed as a standard entry in the Common Vulnerabilities and Exposures list.

Esri thanks the following for working with us to protect customers:

  • Roberto Suggi Liverani of NCIA-NCIRC for reporting this vulnerability


Improper validation of user-supplied content.


Esri has released two security patches that address the Mobile Content Server issue and other security vulnerabilities that affect ArcGIS 10.1 SP1 for Server and ArcGIS 10.2 for Server. Esri recommends that customers download and apply the appropriate patch.

For those that cannot apply these security patches, the Mobile Content Server can be removed from the product. The Mobile Content Server is not commonly used.

  1. Navigate to the ArcGIS Install Directory.
  2. Navigate to framework/runtime/tomcat/webapps.
  3. Delete the folder arcgis#mobile.

Article ID:000011848

  • ArcGIS Server

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options

Related Information

Discover more on this topic