Multiple Vulnerabilities in Esri ArcGIS for Server 10.1 through 10.2 – Web Security Watch

Web Security Watch is an aggregator of security reports coming from various sources. It aims to provide a single point of tracking for all publicly disclosed security issues that matter. Our unique tagging system enables you to see a relevant set of tags associated with each security alert for a quick overview of the affected products. What's more, you can now subscribe to an RSS feed containing the specific tags that you are interested in - you will then only receive alerts related to those tags. Vulnerability Summary for CVE-2013-5221 Original release date:09/24/2013 Last revised:09/25/2013 Source: US-CERT/NIST Overview The mobile-upload feature in Esri ArcGIS for Server 10.1 through 10.2 allows remote authenticated users to upload .exe files by leveraging (1) publisher or (2) administrator privileges. CVSS Severity (version 2.0): CVSS v2 Base Score:3.5 (LOW) Impact Subscore: 2.9 Exploitability Subscore: 6.8 CVSS Version 2 Metrics: Access Vector: Network exploitable Access Complexity: Medium Authentication: Required to exploit Impact Type:Allows unauthorized modification References to Advisories, Solutions, and Tools External Source: CONFIRM Name: http://support.esri.com/en/knowledgebase/techarticles/detail/41497 Type: Advisory, Patch Information Hyperlink: http://support.esri.com/en/knowledgebase/techarticles/detail/41497 Vulnerability Summary for CVE-2013-5222 Original release date:12/30/2013 Last revised:12/31/2013 Source: US-CERT/NIST Overview Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. CVSS Severity (version 2.0): CVSS v2 Base Score:3.5 (LOW) Impact Subscore: 2.9 Exploitability Subscore: 6.8 CVSS Version 2 Metrics: Access Vector: Network exploitable, Victim must voluntarily interact with attack mechanism Access Complexity: Medium Authentication: Required to exploit Impact Type:Allows unauthorized modification References to Advisories, Solutions, and Tools External Source: CONFIRM Name: http://support.esri.com/en/knowledgebase/techarticles/detail/41498 Hyperlink: http://support.esri.com/en/knowledgebase/techarticles/detail/41498 External Source: CONFIRM Name: http://support.esri.com/en/knowledgebase/techarticles/detail/41494 Hyperlink: http://support.esri.com/en/knowledgebase/techarticles/detail/41494 Vulnerability Summary for CVE-2013-7231 Original release date:12/30/2013 Last revised:12/31/2013 Source: US-CERT/NIST Overview Cross-site scripting (XSS) vulnerability in the Mobile Content Server in ESRI ArcGIS for Server 10.1 and 10.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2013-5222. CVSS Severity (version 2.0): CVSS v2 Base Score:3.5 (LOW) Impact Subscore: 2.9 Exploitability Subscore: 6.8 CVSS Version 2 Metrics: Access Vector: Network exploitable, Victim must voluntarily interact with attack mechanism Access Complexity: Medium Authentication: Required to exploit Impact Type:Allows unauthorized modification References to Advisories, Solutions, and Tools External Source: CONFIRM Name: http://support.esri.com/en/knowledgebase/techarticles/detail/41468 Hyperlink: http://support.esri.com/en/knowledgebase/techarticles/detail/41468 External Source: CONFIRM Name: http://support.esri.com/en/downloads/patches-servicepacks/view/prod… Hyperlink: http://support.esri.com/en/downloads/patches-servicepacks/view/prod… Vulnerability Summary for CVE-2013-7232 Original release date:12/30/2013 Last revised:12/31/2013 Source: US-CERT/NIST Overview SQL injection vulnerability in ESRI ArcGIS for Server through 10.2 allows remote attackers to execute arbitrary SQL commands via unspecified input to the map or feature service. CVSS Severity (version 2.0): CVSS v2 Base Score:7.5 (HIGH) Impact Subscore: 6.4 Exploitability Subscore: 10.0 CVSS Version 2 Metrics: Access Vector: Network exploitable Access Complexity: Low Authentication: Not required to exploit Impact Type:Allows unauthorized disclosure of information, Allows unauthorized modification, Allows disruption of service References to Advisories, Solutions, and Tools External Source: CONFIRM Name: http://support.esri.com/en/downloads/patches-servicepacks/view/prod… Hyperlink: http://support.esri.com/en/downloads/patches-servicepacks/view/prod… Source.


Яндекс.Метрика Рейтинг@Mail.ru Free Web Counter
page counter
Last Modified: April 18, 2016 @ 6:09 am