CVE-2024-10904
📋 TL;DR
A stored cross-site scripting vulnerability in ArcGIS Server versions 11.3 and below allows authenticated attackers with publisher privileges to inject malicious JavaScript links. When victims click these links, arbitrary code executes in their browsers. This affects organizations using vulnerable ArcGIS Server deployments.
💻 Affected Systems
- ArcGIS Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious publisher could steal session cookies, perform actions as authenticated users, or redirect to phishing sites by exploiting stored XSS payloads.
Likely Case
Limited impact due to high privilege requirements; most likely used for session hijacking or credential theft against users who click crafted links.
If Mitigated
With proper access controls and user awareness, impact is minimal as exploitation requires publisher-level authentication and user interaction.
🎯 Exploit Status
Exploitation requires authenticated publisher access and user interaction; no public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply ArcGIS Server Security 2025 Update 1 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/
Restart Required: Yes
Instructions:
1. Download the security patch from Esri's support site.
2. Stop ArcGIS Server services.
3. Apply the patch according to Esri's documentation.
4. Restart ArcGIS Server services.
5. Verify the patch was applied successfully.
🔧 Temporary Workarounds
Restrict Publisher Privileges
allLimit publisher-level access to trusted users only to reduce attack surface.
Review and audit ArcGIS Server user roles and permissions.
Implement Content Security Policy
allAdd CSP headers to mitigate XSS impact by restricting script execution.
Configure web server (e.g., Apache, IIS) to include appropriate CSP headers.
🧯 If You Can't Patch
- Enforce strict access controls to limit publisher roles to essential personnel only.
- Implement web application firewall (WAF) rules to block XSS payloads and monitor for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check ArcGIS Server version; if it's 11.3 or below, it's vulnerable unless patched.Check Version:
Check the ArcGIS Server Administrator Directory or Manager interface for version information.Verify Fix Applied:
Verify the patch is applied by checking version or patch status in ArcGIS Server Manager.📡 Detection & Monitoring
Log Indicators:
- Unusual publisher-level activity, such as creation of suspicious links or scripts in ArcGIS Server logs.
Network Indicators:
- HTTP requests containing JavaScript payloads to ArcGIS Server endpoints.
SIEM Query:
Search for ArcGIS Server logs with keywords like 'script', 'javascript', or 'onclick' from publisher accounts.