CVE-2024-5888: 
ArcGIS Server vulnerability analysis and mitigation

A stored Cross-site Scripting (XSS) vulnerability has been identified in ArcGIS Server versions 10.9.1 through 11.3, tracked as CVE-2024-5888. The vulnerability was disclosed on March 3, 2025, and is classified with a medium severity rating (Recorded Future).

The vulnerability is categorized as CWE-79 (Improper Neutralization of Input During Web Page Generation), with a Base CVSS 3.1 score of 4.8 and a Temporal CVSS score of 4.3. The CVSS 4.0 base score is rated at 2.0, indicating a relatively moderate severity level (Esri Blog).

The stored XSS vulnerability could potentially allow a remote, authenticated attacker to inject malicious scripts that would be stored on the target server and executed when other users access the affected pages (NVD).

Esri has released the ArcGIS Server Security 2025 Update 1 Patch on February 18th, 2025, which addresses this vulnerability along with several other security issues. System administrators are strongly advised to apply this security patch immediately to all ArcGIS Server machines, whether running on Windows or Linux, that are part of an ArcGIS Enterprise Site or Standalone deployment (Esri Blog).