NIM092874: ArcGIS for Server 10.1 has a reflected non-persistent cross-site scripting vulnerability

Last Published: April 25, 2020


ArcGIS for Server 10.1 has a non-persistent cross-site scripting vulnerability.

CVE Reference
CVE-2013-5222 Various XSS Vulnerabilities
Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score 3.5
This vulnerability may be viewed as a standard entry in the Vulnerabilities and Exposures list.

Esri thanks the following for working with us to protect customers:

• Roberto Suggi Liverani of NCIA-NCIRC for reporting this vulnerability.


When certain URLs are provided, user-provided code can be inserted into ArcGIS for Server web pages.


This issue is fixed in ArcGIS for Server 10.2. Esri recommends that customers upgrade to ArcGIS 10.2.

For those customers that cannot upgrade, Esri has released a security patch that addresses this and other security vulnerabilities that affect ArcGIS 10.1 SP1 for Server. Esri recommends that customers download and apply the 10.1 SP1 Security patch, which can be found here:

ArcGIS 10.1 SP1 for Server Security Patch (September 2013)

    Article ID:000011849

    • ArcGIS Server

    Receive notifications and find solutions for new or common issues

    Get summarized answers and video solutions from our new AI chatbot.

    Download the Esri Support App

    Related Information

    Discover more on this topic

    Get help from ArcGIS experts

    Contact technical support

    Download the Esri Support App

    Go to download options