CVE-2024-51952
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in ArcGIS Server versions 11.3 and below allows authenticated users with publisher privileges to inject malicious JavaScript into links. When victims click these crafted links, arbitrary JavaScript executes in their browsers. This affects organizations using vulnerable ArcGIS Server deployments.
💻 Affected Systems
- ArcGIS Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with publisher access could steal session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to account compromise or data theft.
Likely Case
Limited impact due to requiring publisher-level authentication; most likely used for session hijacking or defacement within the application context.
If Mitigated
With proper access controls limiting publisher roles and input validation, impact is minimal to none.
🎯 Exploit Status
Exploitation requires authenticated publisher access and victim interaction (clicking malicious link).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply ArcGIS Server Security 2025 Update 1 Patch
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/
Restart Required: Yes
Instructions:
1. Download the ArcGIS Server Security 2025 Update 1 patch from Esri's website.
2. Stop ArcGIS Server services.
3. Apply the patch according to Esri's installation instructions.
4. Restart ArcGIS Server services.
5. Verify the patch was applied successfully.
🔧 Temporary Workarounds
Restrict Publisher Access
allLimit the number of users with publisher privileges to only those who absolutely need it.
Implement Content Security Policy (CSP)
allDeploy a strict CSP header to mitigate XSS impact by restricting script execution sources.
🧯 If You Can't Patch
- Strictly limit publisher role assignments to trusted users only.
- Monitor and audit user activities, especially link creation/modification by publishers.
🔍 How to Verify
Check if Vulnerable:
Check ArcGIS Server version; if it's 11.3 or below, it's vulnerable unless patched.Check Version:
Check the ArcGIS Server Administrator Directory or Manager interface for version information.Verify Fix Applied:
Verify the patch is applied by checking the version or patch status in ArcGIS Server Manager.📡 Detection & Monitoring
Log Indicators:
- Unusual link creation/modification by publisher users
- JavaScript payloads in URL parameters or stored content
Network Indicators:
- Suspicious outbound connections from ArcGIS Server to external domains following link clicks
SIEM Query:
Search for events where publisher users create/modify links containing script tags or JavaScript code in ArcGIS Server logs.