The ArcGIS Server Security 2019 Update 2 Patch is now live on the support site. The URL is:
This security patch addresses multiple security vulnerabilities found in ArcGIS Server. Esri recommends that all customers using ArcGIS Server 10.7.1, 10.6.1, 10.5.1, and 10.4.1 apply this patch.
Issues Addressed with this patch include:
• BUG-000125044 – Hosted feature service has a stored cross-site scripting (XSS) vulnerability. (10.7.1 and 10.6.1 only)
CVSS 3.0 Base Score: 4.6 – CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
• BUG-000123103 – ArcGIS Server improperly handles an incorrect CORS origin.
CVSS 3.0 Base Score: 4.2 – CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
• BUG-000124991 – ArcGIS Server fails to fully import root or intermediate certificates. (10.7.1 and 10.6.1 only)
See patch page for list of cumulative issues.