Esri has released the Portal for ArcGIS Security 2024 Update 1 Patch, resolving multiple high and medium severity security vulnerabilities across versions 11.2, 11.1, 10.9.1 and 10.8.1
This patch was released on April 4th, 2024, and is available here.
We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess the risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.
Vulnerabilities fixed by this patch.
Directory Traversal – (Path Traversal)
CVE Details: CVE-2024-25693
CWE-22 Improper Limitation of a Pathname to a Restricted Directory
Base CVSS: 9.9 Temporal Score: 8.9
Access Control – (Improper Authentication)
CVE Details: CVE-2024-25699
CWE-323: Reusing a Nonce, Key Pair in Encryption
Base CVSS: 8.5 Temporal CVSS: 7.6
Cross Site Scripting – (XSS)
CVE Details: CVE-2024-25695
CWE- 79 Improper Neutralization of Input During Web Page Generation
Base CVSS: 7.2 Temporal CVSS: 6.5
Cross Site Scripting – (XSS)
CVE Details: CVE-2024-25698
CWE-79 Improper Neutralization of Input During Web Page Generation
Base CVSS: 6.1 Temporal Score: 5.5
Cross-Site Request Forgery (CSRF)
CVE Details: CVE-2024-25692
CWE-352: Cross-Site Request Forgery (CSRF)
Base CVSS: 5.4 Temporal CVSS: 4.9
Cross Site Scripting – (XSS)
CVE Details: CVE-2024-25697
CWE- 79 Improper Neutralization of Input During Web Page Generation
Base CVSS: 5.4 Temporal Score: 4.9
Cross Site Scripting – (XSS)
CVE Details: CVE-2024-25696
CWE- 79 Improper Neutralization of Input During Web Page Generation
Base CVSS: 4.8 Temporal CVSS: 4.3
Cross Site Scripting – (XSS)
CVE Details: CVE-2024-25708
CWE-79 Improper Neutralization of Input During Web Page Generation
Base CVSS: 4.8 Temporal CVSS: 4.3
Cross Site Scripting – (XSS)
CVE Details: CVE-2024-25690
CWE-79 Improper Neutralization of Input During Web Page Generation
Base CVSS: 4.7 Temporal CVSS: 4.2
Commenting is not enabled for this article.