ArcGIS Blog

Announcements

ArcGIS Trust Center

ArcGIS Server Security 2023 Update 1 Patch available!

By Mark Bierman and RandallWilliams and Michael Young

ArcGIS Server Security 2023 Update 1 Patch is now available. This patch contains fixes for multiple medium priority security issues. Esri highly recommends customers using ArcGIS Server 11.0 through 10.8.1 to install this patch. Users at version 10.7.1 should upgrade and install this patch to 10.9.1 or upgrade to 11.1. ArcGIS 10.7.1 is in mature support status and no longer receives patches. Users working with ArcGIS Enterprise 10.7.1 and below should to upgrade to versions 11.1 (preferred), 10.9.1 or 10.8.1 and install available security patches.

This patch was released on June 28, 2023 and is available here.

We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations.  Both base and modified temporal scores are provided to reflect the availability of an official patch.

 

Vulnerabilities fixed by this patch.

 

BUG-000158075 – Stored XSS issue in ArcGIS Server

CVE Details: CVE-2023-25841

CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

CVSSv3.1 Base Score: 6.1 (Medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSSv3.1 Environmentally Modified Score: 5.2 (Medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/MPR:L

 

Description: There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 10.8.1 – 11.0 on Windows and Linux platforms that may allow a remote, unauthenticated attacker to create crafted content which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

 

Mitigation: Disable anonymous access to ArcGIS Feature services with edit capabilities.

 

BUG-000154070 Stored XSS issue in the ArcGIS REST Services directory

CVE Details: CVE-2023-25840

CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

CVSSv3.1 Base Score: 5.4 (Moderate) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/

CVSSv3.1 Environmentally Modified Score: 5.2 (Moderate) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O

 

Description: There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 10.8.1 – 11.0 on Windows and Linux platforms that may allow a remote, authenticated attacker to create crafted content which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are low.

 

Mitigation: Disable the ArcGIS Server REST Services Directory.

Share this article