CVE-2024-51942: Stored XSS vulnerability in Rest Admin API under Hosted Feature Services page
Description
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
Classification
CVE ID: CVE-2024-51942
CVSS Base Severity: MEDIUM
CVSS Base Score: 4.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Problem Types
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Affected Products
Vendor: Esri
Product: ArcGIS Server
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.03% (probability of being exploited)
EPSS Percentile: 6.42% (scored less or equal to compared to others)
EPSS Date: 2025-04-01 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2024-51942https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/