Esri has released the ArcGIS GeoEvent Server Patch 1 that resolves multiple high and medium severity security vulnerabilities for versions 10.9.1, 11.1, 11.2, 11.3 and 11.4.
- The ArcGIS GeoEvent Server 11.4 patch 1 was released on April 4, 2025, and is available here.
- The ArcGIS GeoEvent Server1 1.3 patch 1 was released on April 4, 2025, and is available here.
- The ArcGIS GeoEvent Server 11.2 patch 1 was released on April 4, 2025, and is available here.
- The ArcGIS GeoEvent Server 11.1 patch 1 was released on April 4, 2025, and is available here.
- The ArcGIS GeoEvent Server 10.9.1 patch 5 was released on April 9, 2025, and is available here.
We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess the risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.
Vulnerabilities fixed by this patch include:
Stored XSS
- CVE Details: CVE-2025-32419
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- Base CVSS 3.1: 7.5 Temporal CVSS: 6.7 Base CVSS 4.0: 7.1
Directory Traversal
- CVE Details: CVE-2025-32418
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- Base CVSS 3.1: 7.5 Temporal CVSS: 6.7 Base CVSS 4.0: 7.1
Stored XSS
- CVE Details: CVE-2025-32417
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- Base CVSS 3.1: 4.3 Temporal CVSS: 3.9 Base CVSS 4.0: 4.6
Stored XSS
Commenting is not enabled for this article.