ArcGIS Blog

Administration

ArcGIS Trust Center

Feb 18, 2025

ArcGIS Server Security 2025 Update 1 Patch Released

By Mark Bierman and Michael Young and RandallWilliams

Esri has released the ArcGIS Server Security 2025 Update 1 Patch. This patch resolves many high and medium severity security vulnerabilities across versions 10.9.1 – 11.3.

This patch was released on February 18th, 2025 and is available here.

We provide Common Vulnerability Scoring System (CVSS) v3.1 and v4.0 scores to allow our customers to better assess the risk of these vulnerabilities to their operations. Both base and temporally modified scores are provided to reflect the availability of an official patch.

Vulnerabilities fixed by this patch include:

 

SQL Injection Vulnerability

  • CVE Details: CVE-2024-51962
  • CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  • Base CVSS 3.1: 8.7 Temporal CVSS: 7.8 Base CVSS 4.0: 8.5

Unauthorized Access to Secure Services

  • CVE Details: CVE-2024-51954
  • CWE-284: Improper Access Control
  • Base CVSS 3.1: 8.5 Temporal CVSS: 7.6 Base CVSS 4.0: 7.1

Local File Inclusion (LFI)

  • CVE Details: CVE-2024-51961
  • CWE-73: External Control of File Name or Path
  • Base CVSS 3.1: 7.5 Temporal CVSS: 6.7 Base CVSS 4.0: 8.2

Directory Traversal Vulnerability

  • CVE Details: CVE-2024-51958
  • CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • Base CVSS 3.1: 4.9 Temporal CVSS: 4.4 Base CVSS 4.0: 5.9

Directory Traversal Vulnerability

  • CVE Details: CVE-2024-51966
  • CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • Base CVSS 3.1: 4.9 Temporal CVSS: 4.4 Base CVSS 4.0: 5.9

Stored XSS

  • CVE Details: CVE-2024-51942
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-51943
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-5888
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-51963
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-51953
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-51957
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-51959
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-51952
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-51944
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-51946
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-51947
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-51948
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-51949
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-51960
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-51956
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-51951
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-51945
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-51950
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Stored XSS

  • CVE Details: CVE-2024-10904
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • Base CVSS 3.1: 4.8 Temporal CVSS: 4.3 Base CVSS 4.0: 2.0

Share this article

administration arcgis trust center cve security ssamlymlgp arcgis trust center

Commenting is not enabled for this article.