The Portal for ArcGIS Security 2019 Update 2 Patch is now live on the support site. The URL is:
This security patch addresses multiple security vulnerabilities found in Portal for ArcGIS.
Esri recommends that all customers using Portal for ArcGIS 10.7.1. 10.6.1, 10.5.1, and 10.4.1 apply this patch.
Issues Addressed with this patch
- BUG-000125434 – A geoprocessing service with the GPDataFile input type does not provide the option to upload a file in the Web AppBuilder for ArcGIS geoprocessing widget in Portal for ArcGIS 10.7.1.
- BUG-000125033 – Users signed in through Integrated Windows Authentication (IWA) cannot search for layers under My Organization in Map Viewer.
- BUG-000124953 – Portal for ArcGIS application information exposure
- BUG-000123690 – Reflected cross-site scripting (XSS) in the Portal for ArcGIS home application
CVSS 3.0 Base Score: 5.4 – CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
- BUG-000119891 – Portal for ArcGIS profiles allow HTML injection (Only in 10.6.1 and 10.5.1)
CVSS 3.0 Base Score: 3.5 – CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N