CVE-2024-51962

HIGH

ArcGIS Server 10.9.1-11.3 - Authenticated SQL Injection via EDIT Operation

Title source: llm

Description

A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non‑administrative privileges. Exploitation is restricted to users with advanced application‑specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability.

References (1)

Core 1

Core References

Vendor Advisory

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/

Scores

CVSS v3 8.7

EPSS 0.0003

EPSS Percentile 10.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (1)

esri/arcgis_server 10.9.1 - 11.3

Published Mar 03, 2025

Tracked Since Feb 18, 2026