cbcvebase.

Esri Arcgis Server vulnerabilities

68 known vulnerabilities affecting esri/arcgis_server.

Total CVEs
68
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH6MEDIUM54LOW4

Vulnerabilities

Page 2 of 4
CVE-2025-67711P4MEDIUMCVSS 6.1≤ 11.5≥ 10.9.1, ≤ 11.42025-12-31
CVE-2025-67711 [MEDIUM] CWE-79 CVE-2025-67711: There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and L There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
nvd
CVE-2025-67708P4MEDIUMCVSS 6.1≤ 11.5≥ 10.9.1, ≤ 11.42025-12-31
CVE-2025-67708 [MEDIUM] CWE-79 CVE-2025-67708: There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and L There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
nvd
CVE-2025-67709P4MEDIUMCVSS 6.1≤ 11.5≥ 10.9.1, ≤ 11.42025-12-31
CVE-2025-67709 [MEDIUM] CWE-79 CVE-2025-67709: There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and L There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
nvd
CVE-2025-67710P4MEDIUMCVSS 6.1≤ 11.5≥ 10.9.1, ≤ 11.42025-12-31
CVE-2025-67710 [MEDIUM] CWE-79 CVE-2025-67710: There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and L There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
nvd
CVE-2025-67704P4MEDIUMCVSS 6.1≤ 11.5≥ 10.9.1, ≤ 11.42025-12-31
CVE-2025-67704 [MEDIUM] CWE-79 CVE-2025-67704: There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and L There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
nvd
CVE-2025-67705P4MEDIUMCVSS 6.1≤ 11.5≥ 10.9.1, ≤ 11.42025-12-31
CVE-2025-67705 [MEDIUM] CWE-79 CVE-2025-67705: There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and L There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
nvd
CVE-2025-67703P4MEDIUMCVSS 6.1≤ 11.5≥ 10.9.1, ≤ 11.42025-12-31
CVE-2025-67703 [MEDIUM] CWE-79 CVE-2025-67703: There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and L There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.
nvd
CVE-2021-29107P4MEDIUMCVSS 6.1v10.6.12021-07-10
CVE-2021-29107 [MEDIUM] CWE-79 CVE-2021-29107: A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application.
nvd
CVE-2021-29104P4MEDIUMCVSS 6.1fixed in 10.9.0≥ All, < 10.9.02021-07-11
CVE-2021-29104 [MEDIUM] CWE-79 CVE-2021-29104: A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application.
nvd
CVE-2022-38198P4MEDIUMCVSS 6.1≤ 10.9.1≥ All, ≤ 10.9.12022-10-25
CVE-2022-38198 [MEDIUM] CWE-79 CVE-2022-38198: There is a reflected cross site scripting issue in the Esri ArcGIS Server services directory version There is a reflected cross site scripting issue in the Esri ArcGIS Server services directory versions 10.9.1 and below that may allow a remote, unauthenticated attacker to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.
nvd
CVE-2023-25841P4MEDIUMCVSS 6.1≥ 10.8.1, < 11.12023-07-21
CVE-2023-25841 [MEDIUM] CWE-79 CVE-2023-25841: There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 11.0 and below o There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 11.0 and below on Windows and Linux platforms that may allow a remote, unauthenticated attacker to create crafted content which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. Mitigation: Disable anonymous access to ArcGIS Fe
nvd
CVE-2021-29115P4MEDIUMCVSS 5.3≥ All, ≤ 10.9.02021-12-07
CVE-2021-29115 [MEDIUM] CWE-200 CVE-2021-29115: An information disclosure vulnerability in the ArcGIS Service Directory in Esri ArcGIS Enterprise ve An information disclosure vulnerability in the ArcGIS Service Directory in Esri ArcGIS Enterprise versions 10.9.0 and below may allows a remote attacker to view hidden field names in feature layers. This issue may reveal field names, but not not disclose features.
nvd
CVE-2023-25848P4MEDIUMCVSS 5.3≥ 10.8.1, ≤ 11.02023-08-25
CVE-2023-25848 [MEDIUM] CWE-319 CVE-2023-25848: ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. The information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.
nvd
CVE-2024-51958P4MEDIUMCVSS 4.9≥ 10.9.1, ≤ 11.3≥ all, ≤ 11.32025-03-03
CVE-2024-51958 [MEDIUM] CWE-22 CVE-2024-51958: There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful e There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed
nvd
CVE-2024-51966P4MEDIUMCVSS 4.9≥ 10.9.1, ≤ 11.3≥ all, ≤ 11.32025-03-03
CVE-2024-51966 [MEDIUM] CWE-22 CVE-2024-51966: There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful e There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed
nvd
CVE-2021-29116P4MEDIUMCVSS 6.1v10.8.1v10.9.0+1 more2021-12-07
CVE-2021-29116 [MEDIUM] CWE-79 CVE-2021-29116: A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server feature services versions 10 A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server feature services versions 10.8.1 and 10.9 (only) feature services may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser.
nvd
CVE-2022-38195P4MEDIUMCVSS 6.1≤ 10.9.1≥ All, ≤ 10.9.12022-10-25
CVE-2022-38195 [MEDIUM] CWE-79 CVE-2022-38195: There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below whi There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthorized attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.
nvd
CVE-2022-38200P4MEDIUMCVSS 6.1v10.7.1v10.8.1+1 more2022-10-25
CVE-2022-38200 [MEDIUM] CWE-79 CVE-2022-38200: A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server vers A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically crafted web requests can execute arbitrary JavaScript in the context of the victim's browser.
nvd
CVE-2021-29103P4MEDIUMCVSS 6.1fixed in 10.9.0≥ All, < 10.92021-07-11
CVE-2021-29103 [MEDIUM] CWE-79 CVE-2021-29103: A reflected Cross Site Scripting (XXS) vulnerability in ArcGIS Server version 10.8.1 and below may a A reflected Cross Site Scripting (XXS) vulnerability in ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser.
nvd
CVE-2021-29106P4MEDIUMCVSS 6.1fixed in 10.9.0≥ All, < 10.9.02021-07-10
CVE-2021-29106 [MEDIUM] CWE-79 CVE-2021-29106: A reflected Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and below A reflected Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser.
nvd
Esri Arcgis Server vulnerabilities | cvebase