Primary

Context

Esri ArcGIS Server Stored Cross-Site Scripting Vulnerability

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in Esri ArcGIS Server versions 11.4 and earlier, on both Windows and Linux. This vulnerability allows remote, unauthenticated attackers to upload files containing malicious code that could be executed in the context of the victim's browser, under certain configurations.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded malicious files are executed in the context of the user's browser.

Remediation

Users are advised to update to ArcGIS Server version 12.0 or to install the ArcGIS Server Security 2025 Update 2 Patch, which is available through the Esri Support website. This patch is cumulative and does not require previous security patches to be installed.

Added: Dec 31, 2025, 11:17 PM

Updated: Dec 31, 2025, 11:17 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.7

exploitability

6.4

remediation

7.7

relevance

1.8

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.7

exploitability

6.4

remediation

7.7

relevance

1.8

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Esri ArcGIS Server Stored Cross-Site Scripting Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Esri ArcGIS Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating