There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.  The privileges required to execute this attack are high, requiring publisher capabilities.  The impact is low to both confidentiality and integrity while having no impact to availability.
                
            References
                    | Link | Resource | 
|---|---|
| https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ | Vendor Advisory | 
Configurations
                    History
                    10 Apr 2025, 20:15
| Type | Values Removed | Values Added | 
|---|---|---|
| Summary | (en) There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability. | 
06 Mar 2025, 14:23
| Type | Values Removed | Values Added | 
|---|---|---|
| Summary | 
 | |
| First Time | Esri Esri arcgis Server | |
| References | () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ - Vendor Advisory | |
| CPE | cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:* | 
03 Mar 2025, 20:15
| Type | Values Removed | Values Added | 
|---|---|---|
| New CVE | 
Information
                Published : 2025-03-03 20:15
Updated : 2025-04-10 20:15
NVD link : CVE-2024-51957
Mitre link : CVE-2024-51957
CVE.ORG link : CVE-2024-51957
JSON object : View
Products Affected
                esri
- arcgis_server
CWE
                
                    
                        
                        CWE-79
                        
            Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
