Lucene search

EsriCVELIST:CVE-2022-38198

HistoryOct 25, 2022 - 4:31 p.m.

CVE-2022-38198 BUG-000146513 - Reflected XSS vulnerability in ArcGIS Server

2022-10-2516:31:53

CWE-79

Esri

www.cve.org

cve-2022-38198

cross site scripting

arcgis server

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

49.2%

JSON

There is a reflected cross site scripting issue in the Esri ArcGIS Server services directory versions 10.9.1 and below that may allow a remote, unauthenticated attacker to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

CNA Affected

[
  {
    "vendor": "Esri",
    "product": "ArcGIS Server",
    "versions": [
      {
        "version": "All",
        "status": "affected",
        "lessThanOrEqual": "10.9.1",
        "versionType": "custom"
      }
    ],
    "platforms": [
      "x64"
    ]
  }
]

References

www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

49.2%

JSON

Related for CVELIST:CVE-2022-38198