Esri has released the Portal for ArcGIS Quick Capture Security Patch. Esri has released updates for Portal for ArcGIS that resolve this moderate-risk vulnerability here.
This patch that resolves one moderate priority security vulnerabilities across versions 10.9.1, 10.8.1, and 10.7.1.
Vulnerabilities fixed by this patch
An unvalidated redirect vulnerability exists in Esri ArcGIS Quick Capture Web Designer versions 10.8.1 to 10.9.1. A remote, unauthenticated attacker can potentially induce an unsuspecting authenticated user to access an an attacker controlled domain.
Common Vulnerability Scoring System (CVSS v3.1) Details
6.1 Base Score, 5.5 Temporal Score
- Exploit Code Maturity: Proof-of-Concept
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- Do not open emails or click links from unknown persons
We provide the temporal score in addition to the base score to allow our customers to better assess risk of this vulnerability to their operations. Please see Common Vulnerability Scoring System for more information on the definition of these metrics.
Esri Bug ID: BUG-000145824
Acknowledgements: Hussein Bahmad