Description
Open redirect vulnerability in ESRI ArcGIS for Server 10.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter, related to login.
Affected Software
Related
{"id": "CVE-2014-5122", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2014-5122", "description": "Open redirect vulnerability in ESRI ArcGIS for Server 10.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter, related to login.", "published": "2014-08-22T14:55:00", "modified": "2018-10-09T19:49:00", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 5.8}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5122", "reporter": "cve@mitre.org", "references": ["http://packetstormsecurity.com/files/127959/ArcGIS-For-Server-10.1.1-XSS-Open-Redirect.html", "http://www.securityfocus.com/bid/69341", "http://www.securitytracker.com/id/1030752", "http://www.securityfocus.com/archive/1/533189/100/0/threaded"], "cvelist": ["CVE-2014-5122"], "immutableFields": [], "lastseen": "2022-03-23T13:35:12", "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31030", "SECURITYVULNS:VULN:13930"]}], "rev": 4}, "score": {"value": 5.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31030"]}]}, "exploitation": null, "vulnersScore": 5.8}, "_state": {"dependencies": 1659690813, "score": 1659761193}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:esri:arcgis_for_server:10.1.1"], "cpe23": ["cpe:2.3:a:esri:arcgis_for_server:10.1.1:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"], "affectedSoftware": [{"cpeName": "esri:arcgis_for_server", "version": "10.1.1", "operator": "eq", "name": "esri arcgis for server"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:esri:arcgis_for_server:10.1.1:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "http://packetstormsecurity.com/files/127959/ArcGIS-For-Server-10.1.1-XSS-Open-Redirect.html", "name": "http://packetstormsecurity.com/files/127959/ArcGIS-For-Server-10.1.1-XSS-Open-Redirect.html", "refsource": "MISC", "tags": []}, {"url": "http://www.securityfocus.com/bid/69341", "name": "69341", "refsource": "BID", "tags": []}, {"url": "http://www.securitytracker.com/id/1030752", "name": "1030752", "refsource": "SECTRACK", "tags": []}, {"url": "http://www.securityfocus.com/archive/1/533189/100/0/threaded", "name": "20140820 ArcGIS for Server Vulnerability Disclosure", "refsource": "BUGTRAQ", "tags": []}]}
{"securityvulns": [{"lastseen": "2018-08-31T11:10:53", "bulletinFamily": "software", "cvelist": ["CVE-2014-5122", "CVE-2014-5121"], "description": "\r\n\r\nProduct: ArcGIS for Server\r\nVendor: ESRI\r\nVulnerable Version: 10.1.1\r\nTested Version: 10.1.1\r\nVendor Notification: June 19, 2014\r\nPublic Disclosure: August 15, 2014\r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2014-5121\r\nRisk Level: Medium\r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nDiscovered and Provided: CAaNES (Computational Analysis and Network\r\nEnterprise Solutions)\r\n\r\nAdvisory Details:\r\n\r\nReflected Cross-Site Scripting (XSS) in ArcGIS for Server: CVE-2014-5121\r\n\r\nMultiple vectors of unsanitized data input from application query\r\nparameters allows an attacker to execute arbitrary JavaScript code\r\nusing a malicious URL link.\r\n\r\nProduct: ArcGIS for Server\r\nVendor: ESRI\r\nVulnerable Version: 10.1.1\r\nTested Version: 10.1.1\r\nVendor Notification: June 19, 2014\r\nPublic Disclosure: August 15, 2014\r\nVulnerability Type: Open Redirect [CWE-20]\r\nCVE Reference: CVE-2014-5122\r\nRisk Level: Medium\r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nDiscovered and Provided: CAaNES (Computational Analysis and Network\r\nEnterprise Solutions)\r\n\r\nAdvisory Details:\r\n\r\nOpen Redirect in ArcGIS for Server: CVE-2014-5122\r\n\r\nUsing a crafted URL, upon login, the user's browser is redirected to\r\nan attacker controlled parameter.\r\n\r\n", "edition": 1, "modified": "2014-08-26T00:00:00", "published": "2014-08-26T00:00:00", "id": "SECURITYVULNS:DOC:31030", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31030", "title": "ArcGIS for Server Vulnerability Disclosure", "type": "securityvulns", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2021-06-08T18:50:18", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2014-08-26T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-5025", "CVE-2014-5122", "CVE-2014-4722", "CVE-2014-2708", "CVE-2014-2327", "CVE-2014-0479", "CVE-2014-5243", "CVE-2014-0482", "CVE-2014-5241", "CVE-2014-5098", "CVE-2014-5339", "CVE-2014-0481", "CVE-2014-5097", "CVE-2014-3978", "CVE-2014-5262", "CVE-2014-5035", "CVE-2014-2709", "CVE-2014-5340", "CVE-2014-5026", "CVE-2014-5027", "CVE-2014-5261", "CVE-2014-5335", "CVE-2014-4002", "CVE-2014-2326", "CVE-2014-0480", "CVE-2014-5338", "CVE-2014-0483", "CVE-2014-3830", "CVE-2014-2328"], "modified": "2014-08-26T00:00:00", "id": "SECURITYVULNS:VULN:13930", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13930", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
CVE-2014-5122
