Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

ArcGIS for Server Vulnerability Disclosure

From: "Romano, Christian" <cromano () caanes com>
Date: Wed, 20 Aug 2014 14:03:53 -0600
Product: ArcGIS for Server
Vendor: ESRI
Vulnerable Version: 10.1.1
Tested Version: 10.1.1
Vendor Notification: June 19, 2014
Public Disclosure: August 15, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-5121
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory Details:

Reflected Cross-Site Scripting (XSS) in ArcGIS for Server: CVE-2014-5121

Multiple vectors of unsanitized data input from application query
parameters allows an attacker to execute arbitrary JavaScript code
using a malicious URL link.

Product: ArcGIS for Server
Vendor: ESRI
Vulnerable Version: 10.1.1
Tested Version: 10.1.1
Vendor Notification: June 19, 2014
Public Disclosure: August 15, 2014
Vulnerability Type: Open Redirect [CWE-20]
CVE Reference: CVE-2014-5122
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory Details:

Open Redirect in ArcGIS for Server: CVE-2014-5122

Using a crafted URL, upon login, the user's browser is redirected to
an attacker controlled parameter.
Previous By Date Next
Previous By Thread Next

Current thread: