Filtered by vendor Esri
Subscriptions
Total
85 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2022-38203 | 1 Esri | 1 Portal For Arcgis | 2024-09-16 | 7.5 High |
Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212. | ||||
CVE-2014-9741 | 1 Esri | 3 Arcgis For Desktop, Arcgis For Engine, Arcgis Server | 2024-09-16 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Desktop, ArcGIS for Engine, and ArcGIS for Server 10.2.2 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
CVE-2022-38198 | 1 Esri | 1 Arcgis Server | 2024-09-16 | 6.1 Medium |
There is a reflected cross site scripting issue in the Esri ArcGIS Server services directory versions 10.9.1 and below that may allow a remote, unauthenticated attacker to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. | ||||
CVE-2021-29100 | 1 Esri | 1 Arcgis Earth | 2024-09-16 | 7.8 High |
A path traversal vulnerability exists in Esri ArcGIS Earth versions 1.11.0 and below which allows arbitrary file creation on an affected system through crafted input. An attacker could exploit this vulnerability to gain arbitrary code execution under security context of the user running ArcGIS Earth by inducing the user to upload a crafted file to an affected system. | ||||
CVE-2022-38209 | 1 Esri | 1 Portal For Arcgis | 2024-09-16 | 6.1 Medium |
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victim’s browser. | ||||
CVE-2021-29103 | 1 Esri | 1 Arcgis Server | 2024-09-16 | 6.1 Medium |
A reflected Cross Site Scripting (XXS) vulnerability in ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser. | ||||
CVE-2021-29115 | 1 Esri | 1 Arcgis Enterprise | 2024-09-16 | 5.3 Medium |
An information disclosure vulnerability in the ArcGIS Service Directory in Esri ArcGIS Enterprise versions 10.9.0 and below may allows a remote attacker to view hidden field names in feature layers. This issue may reveal field names, but not not disclose features. | ||||
CVE-2022-38212 | 1 Esri | 1 Portal For Arcgis | 2024-09-16 | 7.5 High |
Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38203. | ||||
CVE-2022-38187 | 1 Esri | 1 Portal For Arcgis | 2024-09-16 | 7.5 High |
Prior to version 10.9.0, the sharing/rest/content/features/analyze endpoint is always accessible to anonymous users, which could allow an unauthenticated attacker to induce Esri Portal for ArcGIS to read arbitrary URLs. | ||||
CVE-2021-29104 | 1 Esri | 1 Arcgis Server | 2024-09-16 | 6.1 Medium |
A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application. | ||||
CVE-2021-29094 | 1 Esri | 1 Arcgis Server | 2024-09-16 | 6.8 Medium |
Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account. | ||||
CVE-2021-29118 | 1 Esri | 1 Arcreader | 2024-09-16 | 5.5 Medium |
An out-of-bounds read vulnerability exists when parsing a specially crafted file in Esri ArcReader 10.8.1 (and earlier) which allow an unauthenticated attacker to induce an information disclosure issue in the context of the current user. | ||||
CVE-2021-29108 | 1 Esri | 1 Portal For Arcgis | 2024-09-16 | 8.8 High |
There is an privilege escalation vulnerability in organization-specific logins in Esri Portal for ArcGIS versions 10.9 and below that may allow a remote, authenticated attacker who is able to intercept and modify a SAML assertion to impersonate another account (XML Signature Wrapping Attack). In addition patching, Esri also strongly recommends as best practice for SAML assertions to be signed and encrypted. | ||||
CVE-2021-29098 | 1 Esri | 4 Arcgis Engine, Arcgis Pro, Arcmap and 1 more | 2024-09-16 | 7.8 High |
Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user. | ||||
CVE-2021-29112 | 1 Esri | 1 Arcreader | 2024-09-16 | 5.5 Medium |
An out-of-bounds read vulnerability exists when parsing a specially crafted file in Esri ArcReader 10.8.1 (and earlier) which allow an unauthenticated attacker to induce an information disclosure issue in the context of the current user. | ||||
CVE-2005-1393 | 1 Esri | 1 Arcinfo Workstation | 2024-08-07 | N/A |
Multiple buffer overflows in ArcGIS for ESRI ArcInfo Workstation 9.0 allow local users to execute arbitrary code via long command line arguments to (1) asmaster, (2) asuser, (3) asutility, (4) se, or (5) asrecovery. | ||||
CVE-2005-1394 | 1 Esri | 1 Arcinfo Workstation | 2024-08-07 | N/A |
Format string vulnerability in ArcGIS for ESRI ArcInfo Workstation 9.0 allows local users to gain privileges via format string specifiers in the ARCHOME environment variable to (1) wservice or (2) lockmgr. | ||||
CVE-2006-0089 | 1 Esri | 1 Arcpad | 2024-08-07 | N/A |
Buffer overflow in ESRI ArcPad 7.0.0.156 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a .amp file with a COORDSYS tag with a long string attribute. | ||||
CVE-2007-4278 | 1 Esri | 1 Arcsde | 2024-08-07 | N/A |
Stack-based buffer overflow in the giomgr process in ESRI ArcSDE service 9.2, as used with ArcGIS, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number that requires more than 8 bytes to represent in ASCII, which triggers the overflow in an sprintf function call. | ||||
CVE-2007-1770 | 1 Esri | 1 Arcsde | 2024-08-07 | N/A |
Buffer overflow in the ArcSDE service (giomgr) in Environmental Systems Research Institute (ESRI) ArcGIS before 9.2 Service Pack 2, when using three tiered ArcSDE configurations, allows remote attackers to cause a denial of service (giomgr crash) and execute arbitrary code via long parameters in crafted requests. |