CVE-2012-4949

Name of the Vulnerable Software and Affected Versions ESRI ArcGIS version 10.1

Description The issue allows remote authenticated users to execute arbitrary SQL commands via the where parameter to a query URI for a REST service. This can be achieved by accessing specific API endpoints, such as a query URI for a REST service, and manipulating the where parameter.

Recommendations For ESRI ArcGIS version 10.1, consider restricting access to the REST service query URI to minimize the risk of exploitation. Avoid using the where parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.