CVE-2024-51946: 
ArcGIS Server vulnerability analysis and mitigation

A stored Cross-site Scripting (XSS) vulnerability has been identified in ArcGIS Server versions 10.9.1 through 11.3, tracked as CVE-2024-51946. The vulnerability was disclosed on March 3, 2025, and affects the ArcGIS Server software platform. This security issue allows a remote, authenticated attacker with publisher capabilities to create a stored crafted link that, when clicked, could execute arbitrary JavaScript code in the victim's browser (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). According to the CVSS v3.1 scoring system, it has received a base score of 4.8 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The temporal CVSS score is 4.3, and the CVSS v4.0 base score is 2.0, reflecting the availability of an official patch (Vendor Advisory).

The vulnerability has a low impact on both confidentiality and integrity while having no impact on availability. The attack requires high privileges (publisher capabilities) to execute, which somewhat limits its potential impact (NVD).

Esri has released the ArcGIS Server Security 2025 Update 1 Patch on February 18th, 2025, which addresses this vulnerability along with several others. System administrators are advised to apply this security patch immediately to all ArcGIS Server machines (Windows or Linux) that participate in an ArcGIS Enterprise Site or Standalone deployment (Vendor Advisory).