CVE-2021-29116 MEDIUM

CVE-2021-29116: BUG-000142180 Hosted feature services vulnerable to stored XSS

Vendor Esri
Product ArcGIS Server
Weakness CWE-79 · XSS
Published December 7, 2021
Last update April 10, 2025

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server feature services versions 10.8.1 and 10.9 (only) feature services may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser.

Key dates

02Disclosure timeline

December 7, 2021 CVE published
April 10, 2025 Record updated