ID CVE-2014-5121Type cveReporter cve@mitre.orgModified 2018-10-09T19:49:00
Description
Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.
{"id": "CVE-2014-5121", "bulletinFamily": "NVD", "title": "CVE-2014-5121", "description": "Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.", "published": "2014-08-22T14:55:00", "modified": "2018-10-09T19:49:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5121", "reporter": "cve@mitre.org", "references": ["http://www.securitytracker.com/id/1030752", "http://packetstormsecurity.com/files/127959/ArcGIS-For-Server-10.1.1-XSS-Open-Redirect.html", "http://www.securityfocus.com/archive/1/533189/100/0/threaded"], "cvelist": ["CVE-2014-5121"], "type": "cve", "lastseen": "2019-05-29T18:13:47", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d27e63af35f3a0d6151462d9072b6e7e"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "8fd4433bc5191f113551a80c66bd7e31"}, {"key": "cpe23", "hash": "d6d841abe519d21f0cc0ccfc6c577585"}, {"key": "cvelist", "hash": "254755db541354dc8f56bc29cf1e5439"}, {"key": "cvss", "hash": "f74a1c24e49a5ecb0eefb5e51d4caa14"}, {"key": "cvss2", "hash": "25131d66a9f3961140b068f4b41aa42b"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "34e69e045b64924bccf865d56b6918a2"}, {"key": "description", "hash": "4d3f9dad3d8f2663976100b5ac29262f"}, {"key": "href", "hash": "ad262bc3fbabb4b2bbc9d6256c014bb4"}, {"key": "modified", "hash": "345ae1594ed8f0606af35823f2b20455"}, {"key": "published", "hash": "bfead3cc0c38533f460de5c9e1c6fea6"}, {"key": "references", "hash": "caebc09ed75a453327941c56c2674f8e"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "6a76e5dc0259b14454c27dc74be77018"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "9bd4ffd5bf7ee96d468d85c332aa9cd50bab869cc066f821623075d6efdff41b", "viewCount": 0, "enchantments": {"score": {"value": 4.8, "vector": "NONE", "modified": "2019-05-29T18:13:47"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31030"]}], "modified": "2019-05-29T18:13:47"}, "vulnersScore": 4.8}, "objectVersion": "1.3", "cpe": ["cpe:/a:esri:arcgis_for_server:10.1.1"], "affectedSoftware": [{"name": "esri arcgis_for_server", "operator": "eq", "version": "10.1.1"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {}, "cpe23": ["cpe:2.3:a:esri:arcgis_for_server:10.1.1:*:*:*:*:*:*:*"], "cwe": ["CWE-79"]}
{"securityvulns": [{"lastseen": "2018-08-31T11:10:53", "bulletinFamily": "software", "description": "\r\n\r\nProduct: ArcGIS for Server\r\nVendor: ESRI\r\nVulnerable Version: 10.1.1\r\nTested Version: 10.1.1\r\nVendor Notification: June 19, 2014\r\nPublic Disclosure: August 15, 2014\r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2014-5121\r\nRisk Level: Medium\r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nDiscovered and Provided: CAaNES (Computational Analysis and Network\r\nEnterprise Solutions)\r\n\r\nAdvisory Details:\r\n\r\nReflected Cross-Site Scripting (XSS) in ArcGIS for Server: CVE-2014-5121\r\n\r\nMultiple vectors of unsanitized data input from application query\r\nparameters allows an attacker to execute arbitrary JavaScript code\r\nusing a malicious URL link.\r\n\r\nProduct: ArcGIS for Server\r\nVendor: ESRI\r\nVulnerable Version: 10.1.1\r\nTested Version: 10.1.1\r\nVendor Notification: June 19, 2014\r\nPublic Disclosure: August 15, 2014\r\nVulnerability Type: Open Redirect [CWE-20]\r\nCVE Reference: CVE-2014-5122\r\nRisk Level: Medium\r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nDiscovered and Provided: CAaNES (Computational Analysis and Network\r\nEnterprise Solutions)\r\n\r\nAdvisory Details:\r\n\r\nOpen Redirect in ArcGIS for Server: CVE-2014-5122\r\n\r\nUsing a crafted URL, upon login, the user's browser is redirected to\r\nan attacker controlled parameter.\r\n\r\n", "modified": "2014-08-26T00:00:00", "published": "2014-08-26T00:00:00", "id": "SECURITYVULNS:DOC:31030", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31030", "title": "ArcGIS for Server Vulnerability Disclosure", "type": "securityvulns", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}]}
