ArcGIS for Server Vulnerability Disclosure

2014-08-26T00:00:00

Description

Product: ArcGIS for Server Vendor: ESRI Vulnerable Version: 10.1.1 Tested Version: 10.1.1 Vendor Notification: June 19, 2014 Public Disclosure: August 15, 2014 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-5121 Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Discovered and Provided: CAaNES (Computational Analysis and Network Enterprise Solutions) Advisory Details: Reflected Cross-Site Scripting (XSS) in ArcGIS for Server: CVE-2014-5121 Multiple vectors of unsanitized data input from application query parameters allows an attacker to execute arbitrary JavaScript code using a malicious URL link. Product: ArcGIS for Server Vendor: ESRI Vulnerable Version: 10.1.1 Tested Version: 10.1.1 Vendor Notification: June 19, 2014 Public Disclosure: August 15, 2014 Vulnerability Type: Open Redirect [CWE-20] CVE Reference: CVE-2014-5122 Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Discovered and Provided: CAaNES (Computational Analysis and Network Enterprise Solutions) Advisory Details: Open Redirect in ArcGIS for Server: CVE-2014-5122 Using a crafted URL, upon login, the user's browser is redirected to an attacker controlled parameter.

{"id": "SECURITYVULNS:DOC:31030", "bulletinFamily": "software", "title": "ArcGIS for Server Vulnerability Disclosure", "description": "\r\n\r\nProduct: ArcGIS for Server\r\nVendor: ESRI\r\nVulnerable Version: 10.1.1\r\nTested Version: 10.1.1\r\nVendor Notification: June 19, 2014\r\nPublic Disclosure: August 15, 2014\r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2014-5121\r\nRisk Level: Medium\r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nDiscovered and Provided: CAaNES (Computational Analysis and Network\r\nEnterprise Solutions)\r\n\r\nAdvisory Details:\r\n\r\nReflected Cross-Site Scripting (XSS) in ArcGIS for Server: CVE-2014-5121\r\n\r\nMultiple vectors of unsanitized data input from application query\r\nparameters allows an attacker to execute arbitrary JavaScript code\r\nusing a malicious URL link.\r\n\r\nProduct: ArcGIS for Server\r\nVendor: ESRI\r\nVulnerable Version: 10.1.1\r\nTested Version: 10.1.1\r\nVendor Notification: June 19, 2014\r\nPublic Disclosure: August 15, 2014\r\nVulnerability Type: Open Redirect [CWE-20]\r\nCVE Reference: CVE-2014-5122\r\nRisk Level: Medium\r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nDiscovered and Provided: CAaNES (Computational Analysis and Network\r\nEnterprise Solutions)\r\n\r\nAdvisory Details:\r\n\r\nOpen Redirect in ArcGIS for Server: CVE-2014-5122\r\n\r\nUsing a crafted URL, upon login, the user's browser is redirected to\r\nan attacker controlled parameter.\r\n\r\n", "published": "2014-08-26T00:00:00", "modified": "2014-08-26T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31030", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2014-5122", "CVE-2014-5121"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:53", "edition": 1, "viewCount": 29, "enchantments": {"score": {"value": 2.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-5121", "CVE-2014-5122"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13930"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-5121", "CVE-2014-5122"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13930"]}]}, "exploitation": null, "vulnersScore": 2.3}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1646293128, "score": 1659803227}, "_internal": {"score_hash": "3d7d47eb5762e40bb05d56ee81fbbced"}}

{"cve": [{"lastseen": "2022-03-23T13:35:12", "description": "Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.", "cvss3": {}, "published": "2014-08-22T14:55:00", "type": "cve", "title": "CVE-2014-5121", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5121"], "modified": "2018-10-09T19:49:00", "cpe": ["cpe:/a:esri:arcgis_for_server:10.1.1"], "id": "CVE-2014-5121", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5121", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:esri:arcgis_for_server:10.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:35:12", "description": "Open redirect vulnerability in ESRI ArcGIS for Server 10.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter, related to login.", "cvss3": {}, "published": "2014-08-22T14:55:00", "type": "cve", "title": "CVE-2014-5122", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5122"], "modified": "2018-10-09T19:49:00", "cpe": ["cpe:/a:esri:arcgis_for_server:10.1.1"], "id": "CVE-2014-5122", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5122", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:esri:arcgis_for_server:10.1.1:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2021-06-08T18:50:18", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2014-08-26T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-5025", "CVE-2014-5122", "CVE-2014-4722", "CVE-2014-2708", "CVE-2014-2327", "CVE-2014-0479", "CVE-2014-5243", "CVE-2014-0482", "CVE-2014-5241", "CVE-2014-5098", "CVE-2014-5339", "CVE-2014-0481", "CVE-2014-5097", "CVE-2014-3978", "CVE-2014-5262", "CVE-2014-5035", "CVE-2014-2709", "CVE-2014-5340", "CVE-2014-5026", "CVE-2014-5027", "CVE-2014-5261", "CVE-2014-5335", "CVE-2014-4002", "CVE-2014-2326", "CVE-2014-0480", "CVE-2014-5338", "CVE-2014-0483", "CVE-2014-3830", "CVE-2014-2328"], "modified": "2014-08-26T00:00:00", "id": "SECURITYVULNS:VULN:13930", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13930", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}

ArcGIS for Server Vulnerability Disclosure

Description

Related