Vulnerabilities (CVE)

Filtered by vendor Esri Subscribe
Total 26 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-29099 1 Esri 1 Arcgis Server 2021-06-10 5.0 MEDIUM 5.3 MEDIUM
A SQL injection vulnerability exists in some configurations of ArcGIS Server versions 10.8.1 and earlier. Specially crafted web requests can expose information that is not intended to be disclosed (not customer datasets). Web Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this issue.
CVE-2021-3012 1 Esri 1 Arcgis Enterprise 2021-05-26 3.5 LOW 5.4 MEDIUM
A cross-site scripting (XSS) vulnerability in the Document Link of documents in ESRI Enterprise before 10.9 allows remote authenticated users to inject arbitrary JavaScript code via a malicious HTML attribute such as onerror (in the URL field of the Parameters tab).
CVE-2021-29100 1 Esri 1 Arcgis Earth 2021-05-11 6.8 MEDIUM 7.8 HIGH
A path traversal vulnerability exists in Esri ArcGIS Earth versions 1.11.0 and below which allows arbitrary file creation on an affected system through crafted input. An attacker could exploit this vulnerability to gain arbitrary code execution under security context of the user running ArcGIS Earth by inducing the user to upload a crafted file to an affected system.
CVE-2021-29097 1 Esri 4 Arcgis, Arcgis Desktop, Arcgis Pro and 1 more 2021-03-31 6.8 MEDIUM 7.8 HIGH
Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
CVE-2021-29094 1 Esri 1 Arcgis 2021-03-31 6.0 MEDIUM 6.8 MEDIUM
Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.
CVE-2021-29095 1 Esri 1 Arcgis 2021-03-31 6.0 MEDIUM 6.8 MEDIUM
Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.
CVE-2021-29093 1 Esri 1 Arcgis 2021-03-31 6.0 MEDIUM 6.8 MEDIUM
A use-after-free vulnerability when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.
CVE-2021-29096 1 Esri 4 Arcgis Desktop, Arcgis Engine, Arcgis Pro and 1 more 2021-03-31 6.8 MEDIUM 7.8 HIGH
A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
CVE-2021-29098 1 Esri 4 Arcgis, Arcgis Desktop, Arcgis Pro and 1 more 2021-03-31 6.8 MEDIUM 7.8 HIGH
Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
CVE-2020-35712 3 Esri, Linux, Microsoft 3 Arcgis Server, Linux Kernel, Windows 2020-12-30 9.3 HIGH 9.8 CRITICAL
Esri ArcGIS Server before 10.8 is vulnerable to SSRF in some configurations.
CVE-2019-16193 1 Esri 1 Arcgis Enterprise 2019-09-12 3.5 LOW 5.4 MEDIUM
In ArcGIS Enterprise 10.6.1, a crafted IFRAME element can be used to trigger a Cross Frame Scripting (XFS) attack through the EDIT MY PROFILE feature.
CVE-2014-5121 1 Esri 1 Arcgis For Server 2018-10-09 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.
CVE-2014-5122 1 Esri 1 Arcgis For Server 2018-10-09 5.8 MEDIUM N/A
Open redirect vulnerability in ESRI ArcGIS for Server 10.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter, related to login.
CVE-2015-2002 1 Esri 1 Arcgisruntime Sdk 2018-04-23 7.5 HIGH 9.8 CRITICAL
The ESRI ArcGis Runtime SDK before 10.2.6-2 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function.
CVE-2012-4949 1 Esri 1 Arcgis 2017-08-29 6.5 MEDIUM N/A
SQL injection vulnerability in ESRI ArcGIS 10.1 allows remote authenticated users to execute arbitrary SQL commands via the where parameter to a query URI for a REST service.
CVE-2007-4278 1 Esri 1 Arcgis 2017-07-29 7.5 HIGH N/A
Stack-based buffer overflow in the giomgr process in ESRI ArcSDE service 9.2, as used with ArcGIS, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number that requires more than 8 bytes to represent in ASCII, which triggers the overflow in an sprintf function call.
CVE-2007-1770 1 Esri 1 Arcgis 2017-07-29 10.0 HIGH N/A
Buffer overflow in the ArcSDE service (giomgr) in Environmental Systems Research Institute (ESRI) ArcGIS before 9.2 Service Pack 2, when using three tiered ArcSDE configurations, allows remote attackers to cause a denial of service (giomgr crash) and execute arbitrary code via long parameters in crafted requests.
CVE-2005-1393 1 Esri 1 Arcinfo Workstation 2016-10-18 4.6 MEDIUM N/A
Multiple buffer overflows in ArcGIS for ESRI ArcInfo Workstation 9.0 allow local users to execute arbitrary code via long command line arguments to (1) asmaster, (2) asuser, (3) asutility, (4) se, or (5) asrecovery.
CVE-2005-1394 1 Esri 2 Arcgis, Arcinfo Workstation 2016-10-18 7.2 HIGH N/A
Format string vulnerability in ArcGIS for ESRI ArcInfo Workstation 9.0 allows local users to gain privileges via format string specifiers in the ARCHOME environment variable to (1) wservice or (2) lockmgr.
CVE-2014-9741 1 Esri 3 Arcgis For Desktop, Arcgis For Engine, Arcgis For Server 2015-07-09 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Desktop, ArcGIS for Engine, and ArcGIS for Server 10.2.2 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.