CVE-2024-51952

Name of the Vulnerable Software and Affected Versions ArcGIS Server versions 10.9.1 through 11.3

Description The issue is a stored Cross-site Scripting vulnerability that may allow a remote, authenticated attacker with high privileges, specifically publisher capabilities, to create a crafted link. When clicked, this link could potentially execute arbitrary JavaScript code in the victim's browser. The impact of this issue is low on both confidentiality and integrity, with no impact on availability.

Recommendations For ArcGIS Server versions 10.9.1 through 11.3, consider restricting publisher capabilities to minimize the risk of exploitation until a fix is available. As a temporary workaround, avoid using links from untrusted sources within the application. At the moment, there is no information about a newer version that contains a fix for this vulnerability.