NIM093227: A reflected non-persistent cross-site scripting vulnerability exists in ArcGIS for Server 10.1 SP1

Last Published: April 25, 2020


In one of the URLs that ArcGIS for Server 10.1 exposes, a reflected non-persistent cross-site vulnerability exists. This issue does not exist in ArcGIS for Server 10.2.

CVE Reference
CVE-2013-5222 Various XSS Vulnerabilities
Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score 3.5
This vulnerability may be viewed as a standard entry in the Common Vulnerabilities and Exposures list

Esri thanks the following for working with us to protect customers:

  • Roberto Suggi Liverani of NCIA-NCIRC for reporting this vulnerability.


An attacker can use this vulnerability to run a script within the browser when viewing an Esri page using a specially constructed URL supplied by the hacker.


This issue has been fixed in ArcGIS 10.2 for Server. Esri recommends that customers upgrade to the latest version of ArcGIS for Server.

For those customers that cannot upgrade, Esri has released a security patch that resolves this and other security vulnerabilities in ArcGIS 10.1 SP1. Customers should download and install the 10.1 SP1 Security Patch, which can be found here:

Article ID:000011863

  • ArcGIS Server

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options

Related Information

Discover more on this topic