Headline
CVE-2023-25840: ArcGIS Server Security 2023 Update 1 Patch available!
There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 10.8.1 – 11.1 that may allow a remote, authenticated attacker to create a crafted link which onmouseover wont execute but could potentially render an image in the victims browser. The privileges required to execute this attack are high.
ArcGIS Server Security 2023 Update 1 Patch is now available. This patch contains fixes for multiple medium priority security issues. Esri highly recommends customers using ArcGIS Server 11.1 through 10.8.1 to install this patch. Users at version 10.7.1 should upgrade to 10.9.1 or 11.1 and install this patch. ArcGIS 10.7.1 is in mature support status and no longer receives patches. Users working with ArcGIS Enterprise 10.7.1 and below are encouraged to upgrade to versions 11.1 (preferred), 10.9.1 or 10.8.1 and install available security patches.
This patch was released on June 28, 2023 and is available here.
We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.
Vulnerabilities fixed by this patch.
- BUG-000154070 Stored XSS issue in the ArcGIS REST Services directory
- CVE Details: CVE-2023-25840
- CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- CVSSv3.1 Base Score: 5.4 (Moderate) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/
- CVSSv3.1 Environmentally Modified Score: 5.2 (Moderate) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O
Description: There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 10.8.1 – 11.0 on Windows and Linux platforms that may allow a remote, authenticated attacker to create crafted content which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are low.
Mitigation: Disable the ArcGIS Server REST Services Directory.
- BUG-000158075 – Stored XSS issue in ArcGIS Server
- CVE Details: CVE-2023-25841
- CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- CVSSv3.1 Base Score: 6.1 (Medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- CVSSv3.1 Environmentally Modified Score: 5.2 (Medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/MPR:L
Description: There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 10.8.1 – 11.0 on Windows and Linux platforms that may allow a remote, unauthenticated attacker to create crafted content which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
Mitigation: Disable anonymous access to ArcGIS Feature services with edit capabilities.