CVE-2021-29116

Summary

A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server feature services versions 10.8.1 and 10.9 (only) feature services may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser.

Affected Software

VendorProductVersion RangeStatus
EsriArcGIS Server10.8.1 < 10.9.0affected

Weaknesses

  • CWE-79: CWE-79 Cross-site Scripting (XSS)

Workarounds

This issue may be mitigated by securing the feature service.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References