CVE-2024-51963: 
ArcGIS Server vulnerability analysis and mitigation

A stored Cross-site Scripting (XSS) vulnerability has been identified in ArcGIS Server versions 10.9.1 through 11.3, tracked as CVE-2024-51963. The vulnerability was discovered and disclosed on March 3, 2025, affecting the ArcGIS Server software platform. This security issue requires publisher capabilities for exploitation, indicating a high privilege requirement for potential attackers (NVD).

The vulnerability is classified as a stored Cross-site Scripting (CWE-79) issue that allows a remote, authenticated attacker to create a stored crafted link. When clicked, this link could potentially execute arbitrary JavaScript code in the victim's browser. The vulnerability has received a CVSS v3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. Additionally, a CVSS v4.0 score of 2.0 has been assigned to reflect the temporal impact (ESRI Blog).

The vulnerability has been assessed to have low impact on both confidentiality and integrity, with no impact on availability. The exploitation requires high privileges (publisher capabilities), which somewhat limits the potential scope of attacks. The successful exploitation could lead to the execution of arbitrary JavaScript code in the victim's browser, potentially compromising user sessions or leading to other client-side attacks (NVD).

Esri has released the ArcGIS Server Security 2025 Update 1 Patch on February 18th, 2025, which addresses this vulnerability along with several other security issues. System administrators are strongly advised to apply these patches immediately to each ArcGIS Server machine (Windows or Linux) that participates in an ArcGIS Enterprise Site or Standalone deployment (ESRI Blog).