CVE-2024-51956 – A stored cross-site scripting vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2024-51956?

CVE-2024-51956 has a CVSS score of 4.8 (MEDIUM). A stored cross-site scripting vulnerability in ArcGIS Server versions 11.3 and below allows authenticated users with publisher privileges to inject malicious JavaScript links. When victims click these links, arbitrary code executes in their browsers. This affects organizations using vulnerable ArcGIS Server deployments.

📋 TL;DR

A stored cross-site scripting vulnerability in ArcGIS Server versions 11.3 and below allows authenticated users with publisher privileges to inject malicious JavaScript links. When victims click these links, arbitrary code executes in their browsers. This affects organizations using vulnerable ArcGIS Server deployments.

💻 Affected Systems

Products:

ArcGIS Server

Versions: 11.3 and below

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances where publisher-level users exist and can create/modify content.

📦 What is this software?

Arcgis Server by Esri

View all CVEs affecting Arcgis Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker with publisher privileges could steal session cookies, perform actions as authenticated users, or redirect to malicious sites, potentially leading to account compromise or data theft.

🟠

Likely Case

Limited impact due to requiring publisher-level authentication; most likely used for session hijacking or defacement within the application context.

🟢

If Mitigated

With proper access controls and input validation, impact is minimal as only trusted publishers could exploit, and modern browsers' XSS protections would reduce effectiveness.

🌐 Internet-Facing: MEDIUM - Internet-facing instances are accessible to attackers, but exploitation requires publisher authentication which reduces immediate risk.

🏢 Internal Only: LOW - Internal instances have reduced attack surface, and publisher privileges are typically limited to trusted personnel.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires publisher-level authentication, which significantly reduces attack surface. No public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Security 2025 Update 1 Patch

Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/

Restart Required: Yes

Instructions:

1. Download Security 2025 Update 1 patch from Esri. 2. Stop ArcGIS Server services. 3. Apply the patch according to Esri's documentation. 4. Restart ArcGIS Server services. 5. Verify successful installation.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for user-generated content to sanitize HTML/JavaScript inputs

Content Security Policy

all

Implement strict Content Security Policy headers to restrict script execution sources

🧯 If You Can't Patch

Restrict publisher privileges to only essential, trusted personnel
Implement web application firewall rules to detect and block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check ArcGIS Server version via Administrator Directory at https://<server>:6443/arcgis/admin or using the version REST endpoint

Check Version:

curl -k https://<server>:6443/arcgis/rest/info?f=json | grep version

Verify Fix Applied:

Verify version is updated post-patch and test that user inputs are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual content creation/modification by publisher users
Suspicious JavaScript payloads in request logs

Network Indicators:

Unusual outbound connections from ArcGIS Server to external domains
Suspicious script tags in HTTP requests

SIEM Query:

source="arcgis-server" AND (event="content_creation" OR event="content_modification") AND user_role="publisher" AND suspicious_patterns

📊 Metadata

CVE ID: CVE-2024-51956

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (17.5th percentile)

Published: March 3, 2025

Last Updated: April 10, 2025

🔗 References

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-51956, you might also want to check these: