CVE-2021-29113

Published: Dec 7, 2021Modified: Nov 21, 2024

4.7

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page.

Affected (1)

Products: Esri: Arcgis Server

Esri

1 product

Arcgis Server

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Esri Arcgis Server	Up to 10.9.0

Related CWEs

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

CWE-98

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

References (2)

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available

Source: psirt@esri.com

Not ApplicableVendor Advisory

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available

Source: af854a3a-2127-422b-91ae-364da2661108

Not ApplicableVendor Advisory

Timeline

No history available yet.