CVE-2024-51944
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in ArcGIS Server versions 11.3 and below allows authenticated attackers with publisher privileges to inject malicious JavaScript into crafted links. When victims click these links, arbitrary code executes in their browsers. This affects organizations using vulnerable ArcGIS Server deployments with publisher-level authenticated users.
💻 Affected Systems
- ArcGIS Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious publisher could steal session cookies, perform actions as authenticated users, or redirect to phishing sites when victims click crafted links.
Likely Case
Limited data exfiltration or session hijacking for users who click malicious links, constrained by publisher access requirements.
If Mitigated
Minimal impact with proper access controls, input validation, and Content Security Policy headers in place.
🎯 Exploit Status
Exploitation requires authenticated publisher access and victim interaction (clicking crafted link).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply ArcGIS Server Security 2025 Update 1 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/
Restart Required: Yes
Instructions:
1. Download the ArcGIS Server Security 2025 Update 1 patch from Esri's support site.
2. Stop ArcGIS Server services.
3. Apply the patch according to Esri's installation instructions.
4. Restart ArcGIS Server services.
5. Verify successful patch application.
🔧 Temporary Workarounds
Restrict Publisher Privileges
allLimit publisher role assignments to only trusted, necessary users to reduce attack surface.
Review and modify user roles in ArcGIS Server Manager or Portal for ArcGIS
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources and mitigate XSS impact.
Configure web server (IIS/Apache) to include appropriate CSP headers
🧯 If You Can't Patch
- Review and minimize publisher role assignments to essential personnel only.
- Implement network segmentation to isolate ArcGIS Server from sensitive systems.
🔍 How to Verify
Check if Vulnerable:
Check ArcGIS Server version in Administrator Directory > /admin/about or via ArcGIS Server Manager.Check Version:
curl -u admin:password https://server:6443/arcgis/admin/aboutVerify Fix Applied:
Verify version is patched via Administrator Directory and test for XSS payload execution.📡 Detection & Monitoring
Log Indicators:
- Unusual publisher account activity
- Suspicious POST requests with script tags or JavaScript payloads
Network Indicators:
- HTTP requests containing script injection patterns to ArcGIS Server endpoints
SIEM Query:
source="arcgis-server" AND (http_method="POST" AND (uri_path="*" AND content="*script*" OR content="*javascript*"))