Esri has released the Portal for ArcGIS Security 2024 Update 1 Patch, resolving multiple high and medium severity security vulnerabilities across versions 11.2, 11.1, 10.9.1 and 10.8.1
This patch was released on April 4th, 2024, and is available here.
We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess the risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.
Vulnerabilities fixed by this patch.
Cross-Site Request Forgery (CSRF)
- CVE Details: CVE-2024-25692
- CWE-352: Cross-Site Request Forgery (CSRF)
- Base CVSS: 5.4 Temporal CVSS: 4.9
Cross Site Scripting – (XSS)
- CVE Details: CVE-2024-25708
- CWE-79 Improper Neutralization of Input During Web Page Generation
- Base CVSS: 4.8 Temporal CVSS: 4.3
Cross Site Scripting – (XSS)
- CVE Details: CVE-2024-25690
- CWE-79 Improper Neutralization of Input During Web Page Generation
- Base CVSS: 4.7 Temporal CVSS: 4.2
Cross Site Scripting – (XSS)
- CVE Details: CVE-2024-25697
- CWE- 79 Improper Neutralization of Input During Web Page Generation
- Base CVSS: 5.4 Temporal Score: 4.9
Cross Site Scripting – (XSS)
- CVE Details: CVE-2024-25696
- CWE- 79 Improper Neutralization of Input During Web Page Generation
- Base CVSS: 4.8 Temporal CVSS: 4.3
Cross Site Scripting – (XSS)
- CVE Details: CVE-2024-25695
- CWE- 79 Improper Neutralization of Input During Web Page Generation
- Base CVSS: 7.2 Temporal CVSS: 6.5
Directory Traversal – (Path Traversal)
- CVE Details: CVE-2024-25693
- CWE-22 Improper Limitation of a Pathname to a Restricted Directory
- Base CVSS: 9.9 Temporal Score: 8.9
Cross Site Scripting – (XSS)
- CVE Details: CVE-2024-25698
- CWE-79 Improper Neutralization of Input During Web Page Generation
- Base CVSS: 6.1 Temporal Score: 5.5
Access Control – (Improper Authentication)
- CVE Details: CVE-2024-25699
- CWE-287 Improper Authentication
- Base CVSS: 8.5 Temporal CVSS: 7.6
Commenting is not enabled for this article.