Primary

Context

Esri ArcGIS Server Stored Cross-Site Scripting Vulnerability

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in Esri ArcGIS Server versions 11.4 and earlier, on both Windows and Linux. This vulnerability allows remote, unauthenticated attackers to upload files containing malicious code that could be executed in the context of the victim's browser, under certain configurations.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded malicious scripts are executed in the context of the user's browser.

Remediation

Users are advised to upgrade to ArcGIS Server version 12.0 or to install the ArcGIS Server Security 2025 Update 2 Patch, which is available through the Esri Support site. This patch addresses multiple vulnerabilities and can be applied without prior patch dependencies.

Added: Dec 31, 2025, 11:18 PM

Updated: Dec 31, 2025, 11:18 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.7

exploitability

6.4

remediation

7.7

relevance

1.7

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.7

exploitability

6.4

remediation

7.7

relevance

1.7

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Esri ArcGIS Server Stored Cross-Site Scripting Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Esri ArcGIS Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating