Esri ArcGIS Server Open Redirect Vulnerability in Login Redirection Workflow

A URL redirection vulnerability has been identified in ArcGIS Server 11.5, where an authenticated attacker can exploit an input validation weakness in the login redirection process. This exploitation could lead to the application redirecting the user's browser to an unintended and untrusted site. While this may result in a limited confidentiality impact under specific user interaction conditions, the vulnerability is confined to client-side navigation logic during authentication, without any server-side compromise or cross-component impact.

Impact

Exploitation of this vulnerability allows for open redirection, where users can be sent to untrusted external sites, potentially leading to phishing or other malicious activities.

Remediation

Users can apply the ArcGIS Server Security 2026 Update 1 Patch, which is available through the Esri Patches and Updates page. This patch should be installed as soon as possible, as it addresses this vulnerability and others in the same version range.