VYPR

Vendor CVEs

Esri

All CVEs

167 total · sorted by risk
  • CVE-2023-25834May 9, 2023
    risk 0.00cvss epss 0.00

    Changes to user permissions in Portal for ArcGIS 10.9.1 and below are incompletely applied in specific use cases. This issue may allow users to access content that they are no longer privileged to access.

  • CVE-2023-25832May 9, 2023
    risk 0.00cvss epss 0.00

    There is a cross-site-request forgery vulnerability in Esri Portal for ArcGIS Versions 11.0 and below that may allow an attacker to trick an authorized user into executing unwanted actions.

  • CVE-2022-38209Dec 30, 2022
    risk 0.00cvss epss 0.00

    There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victim’s browser.

  • CVE-2022-38210Dec 30, 2022
    risk 0.00cvss epss 0.00

    There is a reflected HTML injection vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below that may allow a remote, unauthenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser.

  • CVE-2022-38204Dec 30, 2022
    risk 0.00cvss epss 0.01

    There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

  • CVE-2022-38203Dec 30, 2022
    risk 0.00cvss epss 0.01

    Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading…

  • CVE-2022-38207Dec 30, 2022
    risk 0.00cvss epss 0.00

    There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote remote, unauthenticated attacker to create a crafted link which when clicked which could execute arbitrary JavaScript code in the victim’s browser.

  • CVE-2022-38206Dec 30, 2022
    risk 0.00cvss epss 0.01

    There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victim’s browser.

  • CVE-2022-38208Dec 30, 2022
    risk 0.00cvss epss 0.00

    There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.

  • CVE-2022-38211Dec 30, 2022
    risk 0.00cvss epss 0.01

    Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.9.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading…

  • CVE-2022-38212Dec 30, 2022
    risk 0.00cvss epss 0.01

    Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading…

  • CVE-2022-38205Dec 30, 2022
    risk 0.00cvss epss 0.02

    In some non-default installations of Esri Portal for ArcGIS versions 10.9.1 and below, a directory traversal issue may allow a remote, unauthenticated attacker to traverse the file system and lead to the disclosure of sensitive data (not customer-published content).

  • CVE-2022-38202Dec 28, 2022
    risk 0.00cvss epss 0.01

    There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote, unauthenticated attacker traverse the file system to access files outside of the intended directory on ArcGIS Server. This could lead to the…

  • CVE-2022-38201Nov 15, 2022
    risk 0.00cvss epss 0.00

    An unvalidated redirect vulnerability exists in Esri Portal for ArcGIS Quick Capture Web Designer versions 10.8.1 to 10.9.1. A remote, unauthenticated attacker can potentially induce an unsuspecting authenticated user to access an an attacker controlled domain.

  • CVE-2022-38195Oct 25, 2022
    risk 0.00cvss epss 0.00

    There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthorized attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

  • CVE-2022-38196Oct 25, 2022
    risk 0.00cvss epss 0.01

    Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory.

  • CVE-2022-38197Oct 25, 2022
    risk 0.00cvss epss 0.01

    Esri ArcGIS Server versions 10.9.1 and below have an unvalidated redirect issue that may allow a remote, unauthenticated attacker to phish a user into accessing an attacker controlled website via a crafted query parameter.

  • CVE-2022-38198Oct 25, 2022
    risk 0.00cvss epss 0.01

    There is a reflected cross site scripting issue in the Esri ArcGIS Server services directory versions 10.9.1 and below that may allow a remote, unauthenticated attacker to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the…

  • CVE-2022-38199Oct 25, 2022
    risk 0.00cvss epss 0.00

    A remote file download issue can occur in some capabilities of Esri ArcGIS Server web services that may in some edge cases allow a remote, unauthenticated attacker to induce an unsuspecting victim to launch a process in the victim's PATH environment. Current browsers provide…

  • CVE-2022-38200Oct 25, 2022
    risk 0.00cvss epss 0.00

    A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically crafted web requests can execute arbitrary JavaScript in the context of the victim's browser.

  • CVE-2022-38189Aug 16, 2022
    risk 0.00cvss epss 0.01

    A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser.

  • CVE-2022-38184Aug 16, 2022
    risk 0.00cvss epss 0.01

    There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs.

  • CVE-2022-38192Aug 16, 2022
    risk 0.00cvss epss 0.00

    A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser.

  • CVE-2022-38193Aug 16, 2022
    risk 0.00cvss epss 0.01

    There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution.

  • CVE-2022-38194Aug 16, 2022
    risk 0.00cvss epss 0.00

    In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file.

  • CVE-2022-38191Aug 15, 2022
    risk 0.00cvss epss 0.00

    There is an HTML injection issue in Esri Portal for ArcGIS versions 10.9.0 and below which may allow a remote, authenticated attacker to inject HTML into some locations in the home application.

  • CVE-2022-38187Aug 15, 2022
    risk 0.00cvss epss 0.01

    Prior to version 10.9.0, the sharing/rest/content/features/analyze endpoint is always accessible to anonymous users, which could allow an unauthenticated attacker to induce Esri Portal for ArcGIS to read arbitrary URLs.

  • CVE-2022-38188Aug 15, 2022
    risk 0.00cvss epss 0.00

    There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

  • CVE-2022-38190Aug 15, 2022
    risk 0.00cvss epss 0.01

    A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS configurable apps may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the…

  • CVE-2022-38186Aug 15, 2022
    risk 0.00cvss epss 0.00

    There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

  • CVE-2021-29117Aug 12, 2022
    risk 0.00cvss epss 0.00

    A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader 10.8.1 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.

  • CVE-2021-29112Aug 12, 2022
    risk 0.00cvss epss 0.00

    An out-of-bounds read vulnerability exists when parsing a specially crafted file in Esri ArcReader 10.8.1 (and earlier) which allow an unauthenticated attacker to induce an information disclosure issue in the context of the current user.

  • CVE-2021-29118Aug 12, 2022
    risk 0.00cvss epss 0.00

    An out-of-bounds read vulnerability exists when parsing a specially crafted file in Esri ArcReader 10.8.1 (and earlier) which allow an unauthenticated attacker to induce an information disclosure issue in the context of the current user.

  • CVE-2021-29116Dec 7, 2021
    risk 0.00cvss epss 0.01

    A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server feature services versions 10.8.1 and 10.9 (only) feature services may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially…

  • CVE-2021-29115Dec 7, 2021
    risk 0.00cvss epss 0.02

    An information disclosure vulnerability in the ArcGIS Service Directory in Esri ArcGIS Enterprise versions 10.9.0 and below may allows a remote attacker to view hidden field names in feature layers. This issue may reveal field names, but not not disclose features.

  • CVE-2021-29114Dec 7, 2021
    risk 0.00cvss epss 0.01

    A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries.

  • CVE-2021-29113Dec 7, 2021
    risk 0.00cvss epss 0.01

    A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page.

  • CVE-2021-29110Oct 1, 2021
    risk 0.00cvss epss 0.01

    Stored cross-site scripting (XSS) issue in Esri Portal for ArcGIS may allow a remote unauthenticated attacker to pass and store malicious strings in the home application.

  • CVE-2021-29109Oct 1, 2021
    risk 0.00cvss epss 0.01

    A reflected XSS vulnerability in Esri Portal for ArcGIS version 10.9 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser.

  • CVE-2021-29108Oct 1, 2021
    risk 0.00cvss epss 0.01

    There is an privilege escalation vulnerability in organization-specific logins in Esri Portal for ArcGIS versions 10.9 and below that may allow a remote, authenticated attacker who is able to intercept and modify a SAML assertion to impersonate another account (XML Signature…

  • CVE-2021-29104Jul 11, 2021
    risk 0.00cvss epss 0.01

    A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application.

  • CVE-2021-29102Jul 11, 2021
    risk 0.00cvss epss 0.02

    A Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote, unauthenticated attacker to forge GET requests to arbitrary URLs from the system, potentially leading to network enumeration or facilitating other attacks.

  • CVE-2021-29103Jul 11, 2021
    risk 0.00cvss epss 0.01

    A reflected Cross Site Scripting (XXS) vulnerability in ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser.

  • CVE-2021-29105Jul 11, 2021
    risk 0.00cvss epss 0.01

    A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server Services Directory version 10.8.1 and below may allow a remote authenticated attacker to pass and store malicious strings in the ArcGIS Services Directory.

  • CVE-2021-29106Jul 10, 2021
    risk 0.00cvss epss 0.01

    A reflected Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser.

  • CVE-2021-29107Jul 10, 2021
    risk 0.00cvss epss 0.01

    A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application.

  • CVE-2021-29099Jun 7, 2021
    risk 0.00cvss epss 0.01

    A SQL injection vulnerability exists in some configurations of ArcGIS Server versions 10.8.1 and earlier. Specially crafted web requests can expose information that is not intended to be disclosed (not customer datasets). Web Services that use file based data sources (file…

  • CVE-2021-29101May 5, 2021
    risk 0.00cvss epss 0.02

    ArcGIS GeoEvent Server versions 10.8.1 and below has a read-only directory path traversal vulnerability that could allow an unauthenticated, remote attacker to perform directory traversal attacks and read arbitrary files on the system.

  • CVE-2021-29100May 5, 2021
    risk 0.00cvss epss 0.01

    A path traversal vulnerability exists in Esri ArcGIS Earth versions 1.11.0 and below which allows arbitrary file creation on an affected system through crafted input. An attacker could exploit this vulnerability to gain arbitrary code execution under security context of the user…

  • CVE-2021-3012Apr 8, 2021
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in the Document Link of documents in ESRI Enterprise before 10.9 allows remote authenticated users to inject arbitrary JavaScript code via a malicious HTML attribute such as onerror (in the URL field of the Parameters tab).