CVE-2022-38184— There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-38184
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1
Source: NVD (National Vulnerability Database)
Vulnerability Description
There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
访问控制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Esri Portal For ArcGis 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Esri Portal For ArcGis是美国Esri公司的一种允许在组织内与其他人共享地图、场景、应用程序和其他地理信息的组件。 Portal for ArcGIS 10.8.1及之前版本存在安全漏洞,该漏洞源于存在不正确的访问控制漏洞,可能允许未经身份验证的远程攻击者访问可能导致其读取任意 URL的API。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Esri | Portal for ArcGIS | All ~ 10.8.1 | - |
II. Public POCs for CVE-2022-38184
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-38184
请登录查看更多情报信息。
Same Patch Batch · Esri · 2022-08-16 · 5 CVEs total
| CVE-2022-38194 | 6.7 MEDIUM | Portal for ArcGIS system properties are not properly encrypted (10.8.1 only) |
| CVE-2022-38192 | 6.1 MEDIUM | There is a stored cross-site scripting (XSS) vulnerability in ArcGIS API for JavaScript. |
| CVE-2022-38193 | 6.1 MEDIUM | Code injection issue in Portal for ArcGIS (10.7.1 and 10.8.1) |
| CVE-2022-38189 | 5.4 MEDIUM | There is a stored cross-site scripting (XSS) vulnerability in ArcGIS API for JavaScript. |
IV. Related Vulnerabilities
Same product: Portal for ArcGIS
- CVE-2026-33519
Incorrect privilege assignment in Portal for ArcGIS - CVE-2026-33518
Incorrect privilege assignment in Portal for ArcGIS - CVE-2025-57871
BUG-000174020 - Reflected XSS vulnerability identified in Po - CVE-2025-57872
BUG-000174150 - Unvalidated redirect in Portal for ArcGIS. - CVE-2025-57873
BUG-000175222 - Reflected XSS vulnerability in Portal for Ar
Same vendor: Esri
- CVE-2026-33519
Incorrect privilege assignment in Portal for ArcGIS - CVE-2026-33518
Incorrect privilege assignment in Portal for ArcGIS - CVE-2026-1446
XSS issue is Esri ArcGIS Pro versions 3.6.0 and earlier - CVE-2025-67711
Reflected XSS vulnerability in ArcGIS Server. - CVE-2025-67710
Stored XSS vulnerability in ArcGIS Server
Same weakness: CWE-284
- CVE-2026-8233
Dotouch XproUPF access control - CVE-2026-42569
phpvms: /importer authorization bypass causing full database - CVE-2026-42205
Avo: Broken Access Control: Unauthorized Execution of Arbitr - CVE-2026-41487
Langfuse: Improper role-based-access control in Langfuse LLM - CVE-2026-42278
UltraDAG: Smart Account Spending Policy Bypass via Pockets
V. Comments for CVE-2022-38184
No comments yet