Bug: NIM093227: A reflected non-persistent cross-site scripting vulnerability exists in ArcGIS for Server 10.1 SP1
【相关信息】
Article ID: 41498
Bug Id: NIM093227 is a duplicate of NIM093858
Software:
ArcGIS for Server 10.1
Platforms:
Windows Server 2003, Server 2008, Server 2012, Server 2008 R2
RHEL 5, 6
【BUG描述】
In one of the URLs that ArcGIS for Server 10.1 exposes, a reflected non-persistent cross-site vulnerability exists. This issue does not exist in ArcGIS for Server 10.2.
CVE Reference
CVE-2013-5222 Various XSS Vulnerabilities
Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score 3.5
This vulnerability may be viewed as a standard entry in the
Common Vulnerabilities and Exposures list
Acknowledgements
Esri thanks the following for working with us to protect customers:
Roberto Suggi Liverani of NCIA-NCIRC for reporting this vulnerability.
【BUG原因】
An attacker can use this vulnerability to run a script within the browser when viewing an Esri page using a specially constructed URL supplied by the hacker.
Article ID: 41498
Bug Id: NIM093227 is a duplicate of NIM093858
Software:
ArcGIS for Server 10.1
Platforms:
Windows Server 2003, Server 2008, Server 2012, Server 2008 R2
RHEL 5, 6
【BUG描述】
In one of the URLs that ArcGIS for Server 10.1 exposes, a reflected non-persistent cross-site vulnerability exists. This issue does not exist in ArcGIS for Server 10.2.
CVE Reference
CVE-2013-5222 Various XSS Vulnerabilities
Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score 3.5
This vulnerability may be viewed as a standard entry in the
Common Vulnerabilities and Exposures list
Acknowledgements
Esri thanks the following for working with us to protect customers:
Roberto Suggi Liverani of NCIA-NCIRC for reporting this vulnerability.
【BUG原因】
An attacker can use this vulnerability to run a script within the browser when viewing an Esri page using a specially constructed URL supplied by the hacker.
1 个回复
EsriSupport
赞同来自:
This issue has been fixed in ArcGIS 10.2 for Server. Esri recommends that customers upgrade to ArcGIS for Server 10.2.
For those customers that cannot upgrade to ArcGIS 10.2, Esri has released a security patch that resolves this and other security vulnerabilities in ArcGIS 10.1 SP1. Customers should download and install the 10.1 SP1 Security Patch, which can be found here:
ArcGIS 10.1 SP1 for Server Security Patch (September 2013)
【创建及修改时间】
Created: 8/9/2013
Last Modified: 9/17/2013
【原文链接】
http://support.esri.com/en/kno ... 41498
要回复问题请先登录或注册