Filtered by vendor Esri
Subscribe
Total
161 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-57871 | 1 Esri | 1 Portal For Arcgis | 2025-10-17 | N/A | 4.8 MEDIUM |
| There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser. | |||||
| CVE-2025-55107 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | |||||
| CVE-2025-55106 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | |||||
| CVE-2025-55105 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | |||||
| CVE-2025-55104 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists ArcGIS HUB and ArcGIS Enterprise Sites which allows an authenticated user with the ability to create or edit a site to add and store an XSS payload. If this stored XSS payload is triggered by any user attacker supplied JavaScript may execute in the victim's browser. | |||||
| CVE-2025-55103 | 1 Esri | 1 Portal For Arcgis | 2025-09-05 | N/A | 4.8 MEDIUM |
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | |||||
| CVE-2025-1068 | 1 Esri | 2 Arcgis Allsource, Arcgis Pro | 2025-06-20 | N/A | 7.3 HIGH |
| There is an untrusted search path vulnerability in Esri ArcGIS AllSource 1.2 and 1.3 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS AllSource, the file could execute and run malicious commands under the context of the victim. This issue is corrected in ArcGIS AllSource 1.2.1 and 1.3.1. | |||||
| CVE-2025-1067 | 1 Esri | 2 Arcgis Allsource, Arcgis Pro | 2025-06-20 | N/A | 7.3 HIGH |
| There is an untrusted search path vulnerability in Esri ArcGIS Pro 3.3 and 3.4 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS ArcGIS Pro, the file could execute and run malicious commands under the context of the victim. This issue is addressed in ArcGIS Pro 3.3.3 and 3.4.1. | |||||
| CVE-2021-29098 | 1 Esri | 4 Arcgis Engine, Arcgis Pro, Arcmap and 1 more | 2025-05-05 | 6.8 MEDIUM | 7.8 HIGH |
| Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user. | |||||
| CVE-2023-25836 | 1 Esri | 1 Portal For Arcgis | 2025-04-23 | N/A | 5.4 MEDIUM |
| There is a Cross-site Scripting vulnerability in Esri Portal for ArcGIS Sites in versions 10.9 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are low. | |||||
| CVE-2023-25831 | 1 Esri | 1 Portal For Arcgis | 2025-04-23 | N/A | 6.1 MEDIUM |
| There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. | |||||
| CVE-2023-25830 | 1 Esri | 1 Portal For Arcgis | 2025-04-23 | N/A | 6.1 MEDIUM |
| There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1and before which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. | |||||
| CVE-2023-25829 | 1 Esri | 1 Portal For Arcgis | 2025-04-23 | N/A | 6.1 MEDIUM |
| There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks. | |||||
| CVE-2014-9741 | 1 Esri | 3 Arcgis For Desktop, Arcgis For Engine, Arcgis Server | 2025-04-12 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Desktop, ArcGIS for Engine, and ArcGIS for Server 10.2.2 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2014-5122 | 1 Esri | 1 Arcgis Server | 2025-04-12 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in ESRI ArcGIS for Server 10.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter, related to login. | |||||
| CVE-2014-5121 | 1 Esri | 1 Arcgis Server | 2025-04-12 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. | |||||
| CVE-2024-5888 | 1 Esri | 1 Arcgis Server | 2025-04-10 | N/A | 4.8 MEDIUM |
| There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. | |||||
| CVE-2024-51966 | 1 Esri | 1 Arcgis Server | 2025-04-10 | N/A | 4.9 MEDIUM |
| There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality. | |||||
| CVE-2024-51963 | 1 Esri | 1 Arcgis Server | 2025-04-10 | N/A | 4.8 MEDIUM |
| There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and follow that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. | |||||
| CVE-2024-51961 | 1 Esri | 1 Arcgis Server | 2025-04-10 | N/A | 7.5 HIGH |
| There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server. Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability. | |||||