We recently patched a Cross-Site-Scripting (XSS) vulnerability within Geoportal Server and posted the patch to GitHub. Current 1.2.7 installations should just apply the patch, whereas installations before 1.2.7 will need to upgrade to 1.2.7 and then apply this patch. The actual XSS vulnerability is only of moderate risk, however we expect that the details for exploiting the vulnerability will likely be made publically available, and therefore recommend ensuring this patch is deployed in a timely manner.
This patch is only for the open-source Geoportal Server and not a vulnerability or patch related to the Esri commercial offering of Portal for ArcGIS.
Geoportal Server 1.2.7 Patch 1 – Available now