Description
Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.
Affected Software
Related
{"id": "CVE-2014-5121", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2014-5121", "description": "Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.", "published": "2014-08-22T14:55:00", "modified": "2018-10-09T19:49:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5121", "reporter": "cve@mitre.org", "references": ["http://packetstormsecurity.com/files/127959/ArcGIS-For-Server-10.1.1-XSS-Open-Redirect.html", "http://www.securitytracker.com/id/1030752", "http://www.securityfocus.com/archive/1/533189/100/0/threaded"], "cvelist": ["CVE-2014-5121"], "immutableFields": [], "lastseen": "2022-03-23T13:35:12", "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31030"]}], "rev": 4}, "score": {"value": 4.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31030"]}]}, "exploitation": null, "vulnersScore": 4.4}, "_state": {"dependencies": 1659690813, "score": 1659761193}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:esri:arcgis_for_server:10.1.1"], "cpe23": ["cpe:2.3:a:esri:arcgis_for_server:10.1.1:*:*:*:*:*:*:*"], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "esri:arcgis_for_server", "version": "10.1.1", "operator": "eq", "name": "esri arcgis for server"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:esri:arcgis_for_server:10.1.1:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "http://packetstormsecurity.com/files/127959/ArcGIS-For-Server-10.1.1-XSS-Open-Redirect.html", "name": "http://packetstormsecurity.com/files/127959/ArcGIS-For-Server-10.1.1-XSS-Open-Redirect.html", "refsource": "MISC", "tags": []}, {"url": "http://www.securitytracker.com/id/1030752", "name": "1030752", "refsource": "SECTRACK", "tags": []}, {"url": "http://www.securityfocus.com/archive/1/533189/100/0/threaded", "name": "20140820 ArcGIS for Server Vulnerability Disclosure", "refsource": "BUGTRAQ", "tags": []}]}
{"securityvulns": [{"lastseen": "2018-08-31T11:10:53", "bulletinFamily": "software", "cvelist": ["CVE-2014-5122", "CVE-2014-5121"], "description": "\r\n\r\nProduct: ArcGIS for Server\r\nVendor: ESRI\r\nVulnerable Version: 10.1.1\r\nTested Version: 10.1.1\r\nVendor Notification: June 19, 2014\r\nPublic Disclosure: August 15, 2014\r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2014-5121\r\nRisk Level: Medium\r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nDiscovered and Provided: CAaNES (Computational Analysis and Network\r\nEnterprise Solutions)\r\n\r\nAdvisory Details:\r\n\r\nReflected Cross-Site Scripting (XSS) in ArcGIS for Server: CVE-2014-5121\r\n\r\nMultiple vectors of unsanitized data input from application query\r\nparameters allows an attacker to execute arbitrary JavaScript code\r\nusing a malicious URL link.\r\n\r\nProduct: ArcGIS for Server\r\nVendor: ESRI\r\nVulnerable Version: 10.1.1\r\nTested Version: 10.1.1\r\nVendor Notification: June 19, 2014\r\nPublic Disclosure: August 15, 2014\r\nVulnerability Type: Open Redirect [CWE-20]\r\nCVE Reference: CVE-2014-5122\r\nRisk Level: Medium\r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nDiscovered and Provided: CAaNES (Computational Analysis and Network\r\nEnterprise Solutions)\r\n\r\nAdvisory Details:\r\n\r\nOpen Redirect in ArcGIS for Server: CVE-2014-5122\r\n\r\nUsing a crafted URL, upon login, the user's browser is redirected to\r\nan attacker controlled parameter.\r\n\r\n", "edition": 1, "modified": "2014-08-26T00:00:00", "published": "2014-08-26T00:00:00", "id": "SECURITYVULNS:DOC:31030", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31030", "title": "ArcGIS for Server Vulnerability Disclosure", "type": "securityvulns", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}]}
CVE-2014-5121
