SB2022081843 - Multiple vulnerabilities in ESRI Portal for ArcGIS

Main Vulnerability Database SB2022081843

SB2022081843 - Multiple vulnerabilities in ESRI Portal for ArcGIS

Published: August 18, 2022

Security Bulletin ID SB2022081843

Severity

High

Patch available

YES

Number of vulnerabilities 9

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2022-38184)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and gain unauthorized access to sensitive information on the system.

2) Missing Encryption of Sensitive Data (CVE-ID: CVE-2022-38194)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to improper encryption for files. A local administrator can gain unauthorized access to sensitive information on the system.

3) Code Injection (CVE-ID: CVE-2022-38193)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

4) Stored cross-site scripting (CVE-ID: CVE-2022-38192)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

5) Stored cross-site scripting (CVE-ID: CVE-2022-38189)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

6) Cross-site scripting (CVE-ID: CVE-2022-38186)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

7) Cross-site scripting (CVE-ID: CVE-2022-38188)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

8) Stored cross-site scripting (CVE-ID: CVE-2022-38190)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

9) Cross-site scripting (CVE-ID: CVE-2022-38191)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch/