David M. Chavez

**Name of the Vulnerable Software and Affected Versions** Esri ArcGIS Server services directory versions 10.9.1 and below **Description** The issue is a reflected cross site scripting problem that may allow a remote, unauthenticated attacker to convince a user to click on a crafted link, potentially executing arbitrary JavaScript code in the victim's browser. **Recommendations** For Esri ArcGIS Server services directory versions 10.9.1 and below, update to a version above 10.9.1 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Esri ArcGIS Server (affected versions not specified) **Description** A remote file download issue can occur in some capabilities of Esri ArcGIS Server web services, potentially allowing a remote, unauthenticated attacker to induce an unsuspecting victim to launch a process in the victim's PATH environment. Current browsers provide users with warnings against running unsigned executables downloaded from the internet. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.