CVE-2024-51960
📋 TL;DR
A stored cross-site scripting vulnerability in ArcGIS Server versions 11.3 and below allows authenticated attackers with publisher privileges to inject malicious JavaScript into links. When victims click these crafted links, arbitrary JavaScript executes in their browsers. This affects organizations using vulnerable ArcGIS Server deployments.
💻 Affected Systems
- ArcGIS Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker with publisher privileges could steal session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to account compromise or data theft.
Likely Case
An authenticated malicious publisher creates phishing-style links that execute JavaScript when clicked by other users, potentially capturing session data or performing limited actions within the victim's context.
If Mitigated
With proper access controls limiting publisher privileges to trusted users and input validation, the attack surface is significantly reduced, though the vulnerability remains present.
🎯 Exploit Status
Exploitation requires authenticated access with publisher privileges; stored XSS typically has straightforward exploitation once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Security Update 2025-1 patch or upgrade to version 11.4+
Vendor Advisory: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/
Restart Required: Yes
Instructions:
1. Download Security Update 2025-1 from Esri's support site. 2. Stop ArcGIS Server services. 3. Apply the patch according to Esri's documentation. 4. Restart ArcGIS Server services. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Publisher Privileges
allLimit publisher role assignments to only necessary, trusted users to reduce attack surface.
Implement Content Security Policy
allDeploy CSP headers to restrict script execution sources and mitigate XSS impact.
🧯 If You Can't Patch
- Implement strict access controls to limit publisher privileges to minimal necessary users
- Deploy web application firewall rules to detect and block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check ArcGIS Server version via Administrator Directory > System > Properties or using the version REST endpoint.Check Version:
curl -k https://<server>:6443/arcgis/admin/system/properties | grep versionVerify Fix Applied:
Verify version is 11.4+ or confirm Security Update 2025-1 is applied through patch management logs.📡 Detection & Monitoring
Log Indicators:
- Unusual publisher account activity
- Suspicious POST requests containing script tags or JavaScript payloads to link creation endpoints
Network Indicators:
- HTTP requests with JavaScript payloads in parameters
- Unexpected outbound connections from ArcGIS Server to external domains
SIEM Query:
source="arcgis-server" AND (http_method="POST" AND (uri_path="*create*" OR uri_path="*update*") AND (content="<script>" OR content="javascript:"))