CVE-2021-29113

Remote file inclusion vulnerability in ArcGIS Server help documentation

CVSS 4.7 MEDIUMEPSS 0.8%CWE-98

In short

A security flaw in ArcGIS Server's help documentation allows attackers to inject malicious HTML code into web pages without needing to log in. This could trick users into visiting compromised pages or stealing their information.

Technical detail

Remote file inclusion vulnerability in ArcGIS Server help documentation permits unauthenticated attackers to inject arbitrary HTML content via request manipulation. The attack vector is web-based and requires no authentication; successful exploitation results in HTML injection, enabling phishing, credential theft, or malware distribution to end users accessing the help section.

Summary generated and translated by AI from the official description.

A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page.

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Affected products

Esri · ArcGIS Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available