CVE-2024-10904

Name of the Vulnerable Software and Affected Versions ArcGIS Server versions 10.9.1 through 11.3

Description The issue is a stored Cross-site Scripting vulnerability that may allow a remote, authenticated attacker to create a stored crafted link which, when clicked, could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity, while having no impact to availability.

Recommendations For ArcGIS Server versions 10.9.1 through 11.3, consider restricting publisher capabilities to minimize the risk of exploitation until a fix is available. As a temporary workaround, avoid using links from untrusted sources and restrict access to sensitive areas of the application to reduce the potential for arbitrary JavaScript code execution.