Multiple vulnerabilities in ESRI ArcGIS
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 17 |
| CVE-ID | CVE-2024-51942 CVE-2024-51949 CVE-2024-51947 CVE-2024-51948 CVE-2024-51950 CVE-2024-51957 CVE-2024-51951 CVE-2024-51963 CVE-2024-51960 CVE-2024-51956 CVE-2024-51946 CVE-2024-10904 CVE-2024-51953 CVE-2024-51944 CVE-2024-51945 CVE-2024-5888 CVE-2024-51952 |
| CWE-ID | CWE-79 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
ArcGIS Universal components / Libraries / Software for developers |
| Vendor | ESRI |
Security Bulletin
This security bulletin contains information about 17 vulnerabilities.
1) Stored cross-site scripting
EUVDB-ID: #VU106297
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-51942
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Stored cross-site scripting
EUVDB-ID: #VU106289
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-51949
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Stored cross-site scripting
EUVDB-ID: #VU106291
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-51947
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Stored cross-site scripting
EUVDB-ID: #VU106292
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-51948
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Stored cross-site scripting
EUVDB-ID: #VU106293
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-51950
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Stored cross-site scripting
EUVDB-ID: #VU106294
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-51957
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Stored cross-site scripting
EUVDB-ID: #VU106295
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-51951
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Stored cross-site scripting
EUVDB-ID: #VU106296
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-51963
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Stored cross-site scripting
EUVDB-ID: #VU106298
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-51960
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Stored cross-site scripting
EUVDB-ID: #VU106306
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-51956
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Stored cross-site scripting
EUVDB-ID: #VU106299
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-51946
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Stored cross-site scripting
EUVDB-ID: #VU106300
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-10904
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Stored cross-site scripting
EUVDB-ID: #VU106301
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-51953
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Stored cross-site scripting
EUVDB-ID: #VU106302
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-51944
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Stored cross-site scripting
EUVDB-ID: #VU106303
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-51945
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Stored cross-site scripting
EUVDB-ID: #VU106304
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-5888
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Stored cross-site scripting
EUVDB-ID: #VU106305
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-51952
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject a specially crafted link that when clicked will execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsArcGIS: 10.9.1 - 11.2
CPE2.3- cpe:2.3:a:esri:arcgis:10.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:esri:arcgis:11.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
