CVE-2024-51951: 
ArcGIS Server vulnerability analysis and mitigation

A stored Cross-site Scripting (XSS) vulnerability has been identified in ArcGIS Server versions 10.9.1 through 11.3, tracked as CVE-2024-51951. The vulnerability was discovered and disclosed on March 3, 2025, by Environmental Systems Research Institute, Inc. This security flaw allows a remote authenticated attacker with publisher capabilities to create a stored crafted link that, when clicked, could execute arbitrary JavaScript code in the victim's browser (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has been assigned a CVSS v3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability requires high privileges (publisher capabilities) for exploitation and user interaction for successful execution (ESRI Blog).

The vulnerability has a low impact on both confidentiality and integrity, with no impact on availability. When successfully exploited, it allows the execution of arbitrary JavaScript code in the victim's browser, potentially leading to unauthorized access to user data or manipulation of web content (NVD).

Esri has released the ArcGIS Server Security 2025 Update 1 Patch to address this vulnerability. System administrators are advised to apply the security patch immediately to each ArcGIS Server machine (Windows or Linux) that participates in an ArcGIS Enterprise Site or Standalone deployment (ESRI Blog).