CVE-2022-38200

BUG-000142376 - Reflected Cross-Site Scripting (XSS) vulnerability in ArcGIS Server.

CVSS 6.1 MEDIUMEPSS 0.3%CWE-79

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.1EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

25 Oct 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically crafted web requests can execute arbitrary JavaScript in the context of the victim's browser.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

Esri · ArcGIS Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-map-service-security-2022-update-1-is-now-available