CVE-2023-25839: 
ArcGIS Insights Desktop vulnerability analysis and mitigation

A SQL injection vulnerability exists in Esri ArcGIS Insights Desktop for Mac and Windows version 2022.1 (CVE-2023-25839). The vulnerability was disclosed in June 2023 and affects the local database interaction functionality of the software. This security issue allows a local, authorized attacker to execute arbitrary SQL commands against the back-end database (Vendor Advisory).

The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'). It has been assigned a CVSS v3.1 Base Score of 7.0 (HIGH) with the vector string AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The exploitation requires complex crafted input and significant effort before a successful attack can be achieved (NVD, Vendor Advisory).

If successfully exploited, this vulnerability allows an attacker to execute arbitrary SQL commands against the back-end database. Given the CVSS metrics, the vulnerability has high potential impact on confidentiality, integrity, and availability of the affected system (Vendor Advisory).

Esri released security patches for ArcGIS Insights 2022.1 on June 23, 2023. Users and system administrators are advised to install these patches at their earliest opportunity to address the vulnerability. The patches should be applied to each machine (Windows or Mac) where the ArcGIS Insights 2022.1 desktop client is installed (Vendor Advisory).