CVE-2024-51946 – This stored XSS vulnerability in ArcGIS Server ... (How to Fix)

Q: What is the severity of CVE-2024-51946?

CVE-2024-51946 has a CVSS score of 4.8 (MEDIUM). This stored XSS vulnerability in ArcGIS Server allows authenticated attackers with publisher privileges to inject malicious JavaScript into links. When victims click these crafted links, arbitrary code executes in their browsers. Only ArcGIS Server versions 11.3 and below are affected.

📋 TL;DR

This stored XSS vulnerability in ArcGIS Server allows authenticated attackers with publisher privileges to inject malicious JavaScript into links. When victims click these crafted links, arbitrary code executes in their browsers. Only ArcGIS Server versions 11.3 and below are affected.

💻 Affected Systems

Products:

ArcGIS Server

Versions: 11.3 and below

Operating Systems: All supported OS for ArcGIS Server

Default Config Vulnerable: ⚠️ Yes

Notes: Requires publisher role privileges to exploit. All configurations with vulnerable versions are affected.

📦 What is this software?

Arcgis Server by Esri

View all CVEs affecting Arcgis Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated malicious publisher could steal session cookies, perform actions as authenticated users, or redirect to phishing sites when victims click malicious links.

🟠

Likely Case

Limited impact due to requiring publisher privileges - most likely session hijacking or credential theft from users who click malicious links.

🟢

If Mitigated

With proper access controls and user awareness, impact is minimal as it requires high-privilege authentication and user interaction.

🌐 Internet-Facing: MEDIUM - Internet-facing ArcGIS Servers are at risk if attackers obtain publisher credentials, but exploitation requires authentication.

🏢 Internal Only: LOW - Internal systems have reduced attack surface, though insider threats with publisher access could exploit.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated publisher access and user interaction (clicking malicious link).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Security 2025 Update 1 Patch

Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/

Restart Required: Yes

Instructions:

1. Download Security 2025 Update 1 patch from Esri. 2. Stop ArcGIS Server services. 3. Apply the patch following Esri's installation guide. 4. Restart ArcGIS Server services. 5. Verify patch installation.

🔧 Temporary Workarounds

Restrict Publisher Access

all

Limit publisher role assignments to trusted users only and implement principle of least privilege.

Content Security Policy

all

Implement strict CSP headers to mitigate XSS impact by restricting script execution.

🧯 If You Can't Patch

Implement strict access controls - only grant publisher privileges to absolutely necessary users
Educate users about not clicking untrusted links within ArcGIS Server interface

🔍 How to Verify

Check if Vulnerable:

Check ArcGIS Server version via Administrator Directory at https://<server>:6443/arcgis/admin or using ArcGIS Server Manager interface.

Check Version:

curl -k https://<server>:6443/arcgis/admin/system/properties | grep version

Verify Fix Applied:

Verify version is patched by checking build number or applying Security 2025 Update 1 patch confirmation.

📡 Detection & Monitoring

Log Indicators:

Unusual publisher account activity
Multiple failed authentication attempts for publisher accounts
Suspicious content creation/modification logs

Network Indicators:

Unusual outbound connections from ArcGIS Server after link clicks
Suspicious JavaScript payloads in HTTP requests

SIEM Query:

source="arcgis-server" AND (event_type="content_creation" OR event_type="content_modification") AND user_role="publisher" AND suspicious_patterns

📊 Metadata

CVE ID: CVE-2024-51946

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (17.5th percentile)

Published: March 3, 2025

Last Updated: April 10, 2025

🔗 References

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-51946, you might also want to check these: