ArcGIS Blog

Administration

ArcGIS Trust Center

Portal for ArcGIS Security 2024 Update 2 Released

By Mark Bierman and Michael Young and RandallWilliams

Esri has released the Portal for ArcGIS Security 2024 Update 2 Patch that resolves multiple high and medium severity security vulnerabilities across versions 11.2, 11.1, 10.9.1, 10.8.1.

 

This patch was released on August 22nd, 2024, and is available here.

 

We provide Common Vulnerability Scoring System v.3.1 and v.4.0 (CVSS) scores to allow our customers to better assess the risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.

Vulnerabilities fixed by this patch.

 

Local File Inclusion – (LFI)

  • CVE Details: CVE-2024-38040
  • CWE-73: External Control of File Name or Path
  • Base CVSS 3.1: 7.5  Base CVSS 4.0: 8.7

 

Cross Site Scripting – (XSS)

  • CVE Details: CVE-2024-38038
  • CWE-79 Improper Neutralization of Input During Web Page Generation
  • Base CVSS 3.1: 6.1  Base CVSS 4.0: 5.3

 

Cross Site Scripting – (XSS)

  • CVE Details: CVE-2024-25691
  • CWE-79 Improper Neutralization of Input During Web Page Generation
  • Base CVSS 3.1: 6.1  Base CVSS 4.0: 5.3

 

Unvalidated Redirect

 

Unvalidated Redirect

  • CVE Details: CVE-2024-8148
  • CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)
  • Base CVSS 3.1: 6.1  Base CVSS 4.0: 5.3

 

HTML Injection

  • CVE Details: CVE-2024-38039
  • CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
  • Base CVSS 3.1: 5.4  Base CVSS 4.0: 5.1

 

Cross Site Scripting – (XSS)

  • CVE Details: CVE-2024-25694
  • CWE-79 Improper Neutralization of Input During Web Page Generation
  • Base CVSS 3.1: 4.8  Base CVSS 4.0: 4.8

 

Cross Site Scripting – (XSS)

  • CVE Details: CVE-2024-25701
  • CWE-79 Improper Neutralization of Input During Web Page Generation
  • Base CVSS 3.1: 4.8  Base CVSS 4.0: 4.8

 

Cross Site Scripting – (XSS)

  • CVE Details: CVE-2024-25702
  • CWE-79 Improper Neutralization of Input During Web Page Generation
  • Base CVSS 3.1: 4.8  Base CVSS 4.0: 4.8

 

Cross Site Scripting – (XSS)

  • CVE Details: CVE-2024-25707
  • CWE-79 Improper Neutralization of Input During Web Page Generation
  • Base CVSS 3.1: 4.8  Base CVSS 4.0: 4.8

 

Cross Site Scripting – (XSS)

  • CVE Details: CVE-2024-38036
  • CWE-79 Improper Neutralization of Input During Web Page Generation
  • Base CVSS 3.1: 4.6  Base CVSS 4.0: 5.1

 

Cross Site Scripting – (XSS)

  • CVE Details: CVE-2024-8149
  • CWE-79 Improper Neutralization of Input During Web Page Generation
  • Base CVSS 3.1: 4.6  Base CVSS 4.0: 5.1

Share this article