Description
Product: ArcGIS for Server
Vendor: ESRI
Vulnerable Version: 10.1.1
Tested Version: 10.1.1
Vendor Notification: June 19, 2014
Public Disclosure: August 15, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-5121
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)
Advisory Details:
Reflected Cross-Site Scripting (XSS) in ArcGIS for Server: CVE-2014-5121
Multiple vectors of unsanitized data input from application query
parameters allows an attacker to execute arbitrary JavaScript code
using a malicious URL link.
Product: ArcGIS for Server
Vendor: ESRI
Vulnerable Version: 10.1.1
Tested Version: 10.1.1
Vendor Notification: June 19, 2014
Public Disclosure: August 15, 2014
Vulnerability Type: Open Redirect [CWE-20]
CVE Reference: CVE-2014-5122
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)
Advisory Details:
Open Redirect in ArcGIS for Server: CVE-2014-5122
Using a crafted URL, upon login, the user's browser is redirected to
an attacker controlled parameter.
Related
{"id": "SECURITYVULNS:DOC:31030", "bulletinFamily": "software", "title": "ArcGIS for Server Vulnerability Disclosure", "description": "\r\n\r\nProduct: ArcGIS for Server\r\nVendor: ESRI\r\nVulnerable Version: 10.1.1\r\nTested Version: 10.1.1\r\nVendor Notification: June 19, 2014\r\nPublic Disclosure: August 15, 2014\r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2014-5121\r\nRisk Level: Medium\r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nDiscovered and Provided: CAaNES (Computational Analysis and Network\r\nEnterprise Solutions)\r\n\r\nAdvisory Details:\r\n\r\nReflected Cross-Site Scripting (XSS) in ArcGIS for Server: CVE-2014-5121\r\n\r\nMultiple vectors of unsanitized data input from application query\r\nparameters allows an attacker to execute arbitrary JavaScript code\r\nusing a malicious URL link.\r\n\r\nProduct: ArcGIS for Server\r\nVendor: ESRI\r\nVulnerable Version: 10.1.1\r\nTested Version: 10.1.1\r\nVendor Notification: June 19, 2014\r\nPublic Disclosure: August 15, 2014\r\nVulnerability Type: Open Redirect [CWE-20]\r\nCVE Reference: CVE-2014-5122\r\nRisk Level: Medium\r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nDiscovered and Provided: CAaNES (Computational Analysis and Network\r\nEnterprise Solutions)\r\n\r\nAdvisory Details:\r\n\r\nOpen Redirect in ArcGIS for Server: CVE-2014-5122\r\n\r\nUsing a crafted URL, upon login, the user's browser is redirected to\r\nan attacker controlled parameter.\r\n\r\n", "published": "2014-08-26T00:00:00", "modified": "2014-08-26T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31030", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2014-5122", "CVE-2014-5121"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:53", "edition": 1, "viewCount": 27, "enchantments": {"score": {"value": 5.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-5121", "CVE-2014-5122"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13930"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-5121", "CVE-2014-5122"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13930"]}]}, "exploitation": null, "vulnersScore": 5.5}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1646293128}}
{"cve": [{"lastseen": "2022-03-23T13:35:12", "description": "Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.", "cvss3": {}, "published": "2014-08-22T14:55:00", "type": "cve", "title": "CVE-2014-5121", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5121"], "modified": "2018-10-09T19:49:00", "cpe": ["cpe:/a:esri:arcgis_for_server:10.1.1"], "id": "CVE-2014-5121", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5121", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:esri:arcgis_for_server:10.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:35:12", "description": "Open redirect vulnerability in ESRI ArcGIS for Server 10.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter, related to login.", "cvss3": {}, "published": "2014-08-22T14:55:00", "type": "cve", "title": "CVE-2014-5122", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5122"], "modified": "2018-10-09T19:49:00", "cpe": ["cpe:/a:esri:arcgis_for_server:10.1.1"], "id": "CVE-2014-5122", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5122", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:esri:arcgis_for_server:10.1.1:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2021-06-08T18:50:18", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2014-08-26T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-5025", "CVE-2014-5122", "CVE-2014-4722", "CVE-2014-2708", "CVE-2014-2327", "CVE-2014-0479", "CVE-2014-5243", "CVE-2014-0482", "CVE-2014-5241", "CVE-2014-5098", "CVE-2014-5339", "CVE-2014-0481", "CVE-2014-5097", "CVE-2014-3978", "CVE-2014-5262", "CVE-2014-5035", "CVE-2014-2709", "CVE-2014-5340", "CVE-2014-5026", "CVE-2014-5027", "CVE-2014-5261", "CVE-2014-5335", "CVE-2014-4002", "CVE-2014-2326", "CVE-2014-0480", "CVE-2014-5338", "CVE-2014-0483", "CVE-2014-3830", "CVE-2014-2328"], "modified": "2014-08-26T00:00:00", "id": "SECURITYVULNS:VULN:13930", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13930", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}