CVE-2024-51960: 
ArcGIS Server vulnerability analysis and mitigation

A stored Cross-site Scripting (XSS) vulnerability has been identified in ArcGIS Server versions 10.9.1 through 11.3, tracked as CVE-2024-51960. The vulnerability was disclosed on March 3, 2025, and affects the ArcGIS Server software platform. This security issue requires high-level privileges (publisher capabilities) for exploitation and allows a remote authenticated attacker to create a stored crafted link that could execute arbitrary JavaScript code when clicked by a victim (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 Base Score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The CVSS v4.0 Base Score is 2.0, indicating a relatively lower severity under the newer scoring system. The temporal CVSS score has been adjusted to 4.3, reflecting the availability of an official patch (Vendor Advisory).

The vulnerability has a low impact on both confidentiality and integrity, with no impact on availability. The successful exploitation requires high privileges and user interaction, limiting its potential impact. The attack could potentially lead to the execution of arbitrary JavaScript code in the victim's browser when clicking a specially crafted link (NVD).

Esri has released the ArcGIS Server Security 2025 Update 1 Patch on February 18th, 2025, which addresses this vulnerability along with several other security issues. System administrators are advised to apply this security patch immediately to all ArcGIS Server machines (Windows or Linux) that participate in an ArcGIS Enterprise Site or Standalone deployment (Vendor Advisory).