CVE-2012-4949

ESRI ArcGIS Server 10.1 - Authenticated SQL Injection via REST Service Query Where Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-4949. PoCs published by anonymous.

AI-analyzed exploit summary The provided text describes an SQL injection vulnerability in ESRI ArcGIS for Server 10.1, where insufficient sanitization of user-supplied data in the 'where' parameter allows attackers to manipulate SQL queries. The example URL demonstrates a potential attack vector but does not include functional exploit code.

Description

SQL injection vulnerability in ESRI ArcGIS 10.1 allows remote authenticated users to execute arbitrary SQL commands via the where parameter to a query URI for a REST service.

Exploits (1)

exploitdb WRITEUP VERIFIED
by anonymous · textwebappsmultiple
https://www.exploit-db.com/exploits/38016

The provided text describes an SQL injection vulnerability in ESRI ArcGIS for Server 10.1, where insufficient sanitization of user-supplied data in the 'where' parameter allows attackers to manipulate SQL queries. The example URL demonstrates a potential attack vector but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: ESRI ArcGIS for Server 10.1
No auth needed
Prerequisites: Network access to the vulnerable ArcGIS Server instance
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/795644

Scores

EPSS 0.0439
EPSS Percentile 90.1%

Details

CWE
CWE-89
Status published
Products (1)
esri/arcgis_server 10.1
Published Nov 14, 2012
Tracked Since Feb 18, 2026