CVE-2024-51950
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in ArcGIS Server versions 11.3 and below allows authenticated attackers with publisher privileges to inject malicious JavaScript links. When victims click these crafted links, arbitrary code executes in their browsers. This affects organizations using vulnerable ArcGIS Server deployments.
💻 Affected Systems
- ArcGIS Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious publisher could steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users, potentially leading to data theft or unauthorized administrative actions.
Likely Case
Limited impact due to requiring publisher-level authentication; most likely used for session hijacking or credential theft against users who click malicious links within the application.
If Mitigated
With proper access controls and user awareness, impact is minimal as exploitation requires high-privilege authentication and user interaction.
🎯 Exploit Status
Exploitation requires authenticated publisher access and user interaction (clicking malicious link).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply ArcGIS Server Security 2025 Update 1 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/
Restart Required: Yes
Instructions:
1. Download the ArcGIS Server Security 2025 Update 1 patch from Esri's support site.
2. Stop ArcGIS Server services.
3. Apply the patch according to Esri's installation instructions.
4. Restart ArcGIS Server services.
5. Verify successful patch installation.
🔧 Temporary Workarounds
Restrict Publisher Access
allLimit publisher privileges to trusted users only and implement principle of least privilege.
Content Security Policy (CSP)
allImplement strict CSP headers to mitigate XSS impact by restricting script execution sources.
🧯 If You Can't Patch
- Implement strict access controls to limit publisher privileges to essential personnel only.
- Deploy web application firewall (WAF) rules to detect and block XSS payloads in ArcGIS Server requests.
🔍 How to Verify
Check if Vulnerable:
Check ArcGIS Server version; if 11.3 or below, the system is vulnerable.Check Version:
Navigate to ArcGIS Server Administrator Directory > System > Properties or use REST endpoint: https://<server>:6443/arcgis/admin/system/propertiesVerify Fix Applied:
Verify patch installation through ArcGIS Server Manager or command line, ensuring version reflects post-patch status.📡 Detection & Monitoring
Log Indicators:
- Unusual publisher account activity
- Suspicious POST requests containing script tags or JavaScript payloads to ArcGIS Server endpoints
Network Indicators:
- HTTP requests with JavaScript payloads in parameters
- Unexpected redirects from ArcGIS Server links
SIEM Query:
source="arcgis_server" AND (http_method="POST" AND (url="*javascript:*" OR body="*<script>*"))