CVE-2024-51959: 
ArcGIS Server vulnerability analysis and mitigation

A stored Cross-site Scripting (XSS) vulnerability has been identified in ArcGIS Server versions 10.9.1 through 11.3, tracked as CVE-2024-51959. The vulnerability was discovered and disclosed on March 3, 2025, affecting the ArcGIS Server software platform. This security issue requires high-level privileges (publisher capabilities) for exploitation (NVD).

The vulnerability allows a remote, authenticated attacker to create a stored crafted link which, when clicked, could potentially execute arbitrary JavaScript code in the victim's browser. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, ESRI Blog).

The vulnerability has a low impact on both confidentiality and integrity, with no impact on availability. The exploitation requires high privileges and user interaction, which somewhat limits its potential impact. The temporal CVSS score has been adjusted to 4.3, reflecting the availability of an official patch (ESRI Blog).

Esri has released the ArcGIS Server Security 2025 Update 1 Patch on February 18th, 2025, which addresses this vulnerability along with several other security issues. System administrators are advised to apply these patches immediately to each ArcGIS Server machine (Windows or Linux) that participates in an ArcGIS Enterprise Site or Standalone deployment (ESRI Blog).