CVE-2024-51949 MEDIUM

CVE-2024-51949: Stored XSS vulnerability in Rest Services under OGCFeature Service and Map Service

Vendor Esri
Product ArcGIS Server
Weakness CWE-79 · XSS
Published March 3, 2025
Last update April 10, 2025
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Key dates

02Disclosure timeline

March 3, 2025 CVE published
April 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-1393 Elementor Addon Elements <= 1.12.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Content Switcher Widget CVE-2025-58850 WordPress Showpass WordPress Extension Plugin <= 4.0.3 - Cross Site Scripting (XSS) Vulnerability CVE-2020-1721 CVE-2025-58227 WordPress Podlove Subscribe button Plugin <= 1.3.11 - Cross Site Scripting (XSS) Vulnerability CVE-2024-52465 WordPress LGPD Framework plugin <= 2.0.2 - Reflected Cross Site Scripting (XSS) vulnerability