Stored Cross-Site Scripting Vulnerability in ArcGIS Server by Esri
CVE-2024-51948

4.8MEDIUM

Key Information:

Vendor

Esri

Status
Arcgis Server
Vendor
CVE Published:
3 March 2025

What is CVE-2024-51948?

A stored Cross-Site Scripting (XSS) vulnerability exists in ArcGIS Server versions 10.9.1 to 11.3. This vulnerability enables an authenticated attacker, with sufficient privileges, to create a specially crafted link that, when clicked by a victim, can execute arbitrary JavaScript code in their browser. While the potential impact on confidentiality and integrity is limited, it highlights the importance of maintaining robust security practices and regularly applying patches.

Affected Version(s)

ArcGIS Server Windows all <= 11.3

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/ad...

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-51948 : Stored Cross-Site Scripting Vulnerability in ArcGIS Server by Esri