CVE-2022-38200 (GCVE-0-2022-38200)
Vulnerability from cvelistv5
Published
2022-10-25 16:31
Modified
2025-04-10 14:56
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
  • CWE-79 - Cross-site Scripting (XSS)
Summary
A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically crafted web requests can execute arbitrary JavaScript in the context of the victim's browser.
References
psirt@esri.comhttps://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-map-service-security-2022-update-1-is-now-availableBroken Link
af854a3a-2127-422b-91ae-364da2661108https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-map-service-security-2022-update-1-is-now-availableBroken Link
Impacted products
Vendor Product Version
Esri ArcGIS Server Version: All   <
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T10:45:52.917Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-map-service-security-2022-update-1-is-now-available"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-38200",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-10T14:50:01.857994Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-10T14:56:29.402Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ArcGIS Server",
          "vendor": "Esri",
          "versions": [
            {
              "lessThanOrEqual": "10.8.1",
              "status": "affected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2022-07-22T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically crafted web requests can execute arbitrary JavaScript in the context of the victim\u0027s browser."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-25T00:00:00.000Z",
        "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "shortName": "Esri"
      },
      "references": [
        {
          "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-map-service-security-2022-update-1-is-now-available"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "ArcGIS Server Map Service Security 2022 Update 1 Patch\nhttps://support.esri.com/en/download/8042"
        }
      ],
      "source": {
        "defect": [
          "BUG-000142376"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "BUG-000142376 - Reflected Cross-Site Scripting (XSS) vulnerability in ArcGIS Server.",
      "x_generator": {
        "engine": "vulnogram 0.1.0-rc1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
    "assignerShortName": "Esri",
    "cveId": "CVE-2022-38200",
    "datePublished": "2022-10-25T16:31:44.000Z",
    "dateReserved": "2022-08-12T00:00:00.000Z",
    "dateUpdated": "2025-04-10T14:56:29.402Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-38200\",\"sourceIdentifier\":\"psirt@esri.com\",\"published\":\"2022-10-25T17:15:55.527\",\"lastModified\":\"2024-11-21T07:16:02.850\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically crafted web requests can execute arbitrary JavaScript in the context of the victim\u0027s browser.\"},{\"lang\":\"es\",\"value\":\"Se presenta una vulnerabilidad de tipo cross site scripting en algunas configuraciones de servicios de mapas de ArcGIS Server versiones 10.8.1 y 10.7.1. Las peticiones web espec\u00edficamente dise\u00f1adas pueden ejecutar JavaScript arbitrario en el contexto del navegador de la v\u00edctima\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@esri.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"psirt@esri.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:esri:arcgis_server:10.7.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3ACE85AE-02C4-407F-A215-8A5FA0C42E08\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:esri:arcgis_server:10.8.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B7C6EF29-8C8D-45F4-9ECD-F40797F011C7\"}]}]}],\"references\":[{\"url\":\"https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-map-service-security-2022-update-1-is-now-available\",\"source\":\"psirt@esri.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-map-service-security-2022-update-1-is-now-available\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-map-service-security-2022-update-1-is-now-available\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T10:45:52.917Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-38200\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-10T14:50:01.857994Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-10T14:50:04.575Z\"}}], \"cna\": {\"title\": \"BUG-000142376 - Reflected Cross-Site Scripting (XSS) vulnerability in ArcGIS Server.\", \"source\": {\"defect\": [\"BUG-000142376\"], \"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"Esri\", \"product\": \"ArcGIS Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"All\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"10.8.1\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"ArcGIS Server Map Service Security 2022 Update 1 Patch\\nhttps://support.esri.com/en/download/8042\"}], \"datePublic\": \"2022-07-22T00:00:00.000Z\", \"references\": [{\"url\": \"https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-map-service-security-2022-update-1-is-now-available\"}], \"x_generator\": {\"engine\": \"vulnogram 0.1.0-rc1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically crafted web requests can execute arbitrary JavaScript in the context of the victim\u0027s browser.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Cross-site Scripting (XSS)\"}]}], \"providerMetadata\": {\"orgId\": \"cedc17bb-4939-4f40-a1f4-30ae8af1094e\", \"shortName\": \"Esri\", \"dateUpdated\": \"2022-10-25T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-38200\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-10T14:56:29.402Z\", \"dateReserved\": \"2022-08-12T00:00:00.000Z\", \"assignerOrgId\": \"cedc17bb-4939-4f40-a1f4-30ae8af1094e\", \"datePublished\": \"2022-10-25T16:31:44.000Z\", \"assignerShortName\": \"Esri\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.