Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31030
HistoryAug 26, 2014 - 12:00 a.m.

ArcGIS for Server Vulnerability Disclosure

2014-08-2600:00:00
vulners.com
54

Product: ArcGIS for Server
Vendor: ESRI
Vulnerable Version: 10.1.1
Tested Version: 10.1.1
Vendor Notification: June 19, 2014
Public Disclosure: August 15, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-5121
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory Details:

Reflected Cross-Site Scripting (XSS) in ArcGIS for Server: CVE-2014-5121

Multiple vectors of unsanitized data input from application query
parameters allows an attacker to execute arbitrary JavaScript code
using a malicious URL link.

Product: ArcGIS for Server
Vendor: ESRI
Vulnerable Version: 10.1.1
Tested Version: 10.1.1
Vendor Notification: June 19, 2014
Public Disclosure: August 15, 2014
Vulnerability Type: Open Redirect [CWE-20]
CVE Reference: CVE-2014-5122
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory Details:

Open Redirect in ArcGIS for Server: CVE-2014-5122

Using a crafted URL, upon login, the user's browser is redirected to
an attacker controlled parameter.

Related for SECURITYVULNS:DOC:31030