CVE-2021-29116: 
ArcGIS Server vulnerability analysis and mitigation

A stored Cross Site Scripting (XSS) vulnerability (CVE-2021-29116) was identified in Esri ArcGIS Server feature services versions 10.8.1 and 10.9. The vulnerability was discovered and disclosed in March 2021, affecting specific versions of the ArcGIS Server feature services (CVE Details).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 Base Score of 6.1 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability allows remote, unauthenticated attackers to pass and store malicious strings via crafted queries which can potentially execute arbitrary JavaScript code in the user's browser (NVD).

When exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in users' browsers, potentially leading to unauthorized access to sensitive information or manipulation of web content. The CVSS scoring indicates low impact on both confidentiality and integrity, with no impact on availability (Vendor Advisory).

Esri has released the ArcGIS Server Security 2021 Update 2 Patch to address this vulnerability. System administrators are encouraged to install this security update at their earliest opportunity. Additionally, ensuring that services are not available anonymously can help mitigate the risk (Vendor Advisory).