CVE-2022-38198— BUG-000146513 - Reflected XSS vulnerability in ArcGIS Server

CVSS 6.1 · Medium EPSS 0.53% · P67 Updated Apr 10, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-38198

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

BUG-000146513 - Reflected XSS vulnerability in ArcGIS Server

Source: NVD (National Vulnerability Database)

Vulnerability Description

There is a reflected cross site scripting issue in the Esri ArcGIS Server services directory versions 10.9.1 and below that may allow a remote, unauthenticated attacker to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Source: NVD (National Vulnerability Database)

Vulnerability Title

Esri ArcGIS Server 跨站脚本漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Esri ArcGIS Server是美国环境系统研究所（Esri）公司的一个面向Web的可用于提供地理位置服务的企业级软件平台。 Esri ArcGIS Server 10.9.1及之前版本存在跨站脚本漏洞，该漏洞源于存在反射型跨站脚本问题，可能允许未经身份验证的远程攻击者诱使用户单击可能在受害者浏览器中执行任意JavaScript代码的特制链接。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Esri	ArcGIS Server	All ~ 10.9.1	-

II. Public POCs for CVE-2022-38198

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2022-38198

请登录查看更多情报信息。

Same Patch Batch · Esri · 2022-10-25 · 6 CVEs total

CVE-2022-38196	6.5 MEDIUM	BUG-000150537 - ArcGIS Server has a local file inclusion (LFI) vulnerability
CVE-2022-38195	6.1 MEDIUM	BUG-000150540 - Reflected XSS vulnerability in ArcGIS Server
CVE-2022-38197	6.1 MEDIUM	BUG-000148347 Unvalidated redirect issues in ArcGIS Server.
CVE-2022-38199	6.1 MEDIUM	BUG-000144172 - Remote file download issue in ArcGIS Server
CVE-2022-38200	6.1 MEDIUM	BUG-000142376 - Reflected Cross-Site Scripting (XSS) vulnerability in ArcGIS Server.

IV. Related Vulnerabilities

Same product: ArcGIS Server

Same vendor: Esri

Same weakness: CWE-79

V. Comments for CVE-2022-38198

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2022-38198— BUG-000146513 - Reflected XSS vulnerability in ArcGIS Server

I. Basic Information for CVE-2022-38198

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2022-38198

III. Intelligence Information for CVE-2022-38198

Same Patch Batch · Esri · 2022-10-25 · 6 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2022-38198

Leave a comment