CVE-2022-38200 - OpenCVE

A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically crafted web requests can execute arbitrary JavaScript in the context of the victim's browser.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Esri	Arcgis Server

Configuration 1 [-]

OR	cpe:2.3:a:esri:arcgis_server:10.7.1:::::::*
	cpe:2.3:a:esri:arcgis_server:10.8.1:::::::*

References

Link	Resource
https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-map-service-security-2022-update-1-is-now-available	Broken Link

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Esri

Published: 2022-07-22T00:00:00

Updated: 2022-10-25T00:00:00

Reserved: 2022-08-12T00:00:00

Link: CVE-2022-38200

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-10-25T17:15:55.527

Modified: 2022-10-31T13:40:25.870

Link: CVE-2022-38200

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:esri:arcgis_server:10.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "3ACE85AE-02C4-407F-A215-8A5FA0C42E08", "vulnerable": true}, {"criteria": "cpe:2.3:a:esri:arcgis_server:10.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "B7C6EF29-8C8D-45F4-9ECD-F40797F011C7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically crafted web requests can execute arbitrary JavaScript in the context of the victim's browser."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de tipo cross site scripting en algunas configuraciones de servicios de mapas de ArcGIS Server versiones 10.8.1 y 10.7.1. Las peticiones web espec\u00edficamente dise\u00f1adas pueden ejecutar JavaScript arbitrario en el contexto del navegador de la v\u00edctima"}], "id": "CVE-2022-38200", "lastModified": "2022-10-31T13:40:25.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "psirt@esri.com", "type": "Secondary"}]}, "published": "2022-10-25T17:15:55.527", "references": [{"source": "psirt@esri.com", "tags": ["Broken Link"], "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-map-service-security-2022-update-1-is-now-available"}], "sourceIdentifier": "psirt@esri.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@esri.com", "type": "Secondary"}]}