CVE-2022-38200

MEDIUM

ArcGIS Server 10.7.1 and 10.8.1 - Cross-Site Scripting in Map Service Configuration

Title source: llm

Description

A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically crafted web requests can execute arbitrary JavaScript in the context of the victim's browser.

References (1)

Core 1

Core References

Broken Link

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-map-service-security-2022-update-1-is-now-available

Scores

CVSS v3 6.1

EPSS 0.0036

EPSS Percentile 58.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

esri/arcgis_server 10.7.1

esri/arcgis_server 10.8.1

Published Oct 25, 2022

Tracked Since Feb 18, 2026