Esri — Vulnerabilities & Security Advisories 147

Browse all 147 CVE security advisories affecting Esri. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Esri develops geographic information system (GIS) software, enabling organizations to map, analyze, and visualize spatial data for urban planning, logistics, and environmental management. The company’s extensive portfolio, including ArcGIS Server and Portal for ArcGIS, has historically been associated with 147 recorded Common Vulnerabilities and Exposures (CVEs). These security flaws predominantly involve remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation or insecure default configurations in web-facing components. While no single catastrophic breach has defined the vendor’s public history, the high volume of vulnerabilities highlights the complexity of securing large-scale enterprise GIS deployments. Many issues require administrative access to exploit, yet successful attacks can lead to full system compromise or data exfiltration. Continuous patching and strict network segmentation remain critical for mitigating risks associated with these legacy and modern software components within critical infrastructure environments.

CVE ID	Title	CVSS	Severity	Published
CVE-2023-25830	BUG-000154662 Reflected XSS vulnerability in Portal for ArcGIS — Portal for ArcGISCWE-79	6.1	Medium	2023-05-09
CVE-2023-25829	BUG-000155001 - Unvalidated redirect in Portal for ArcGIS. — Portal for ArcGISCWE-601	6.1	Medium	2023-05-09
CVE-2023-25834	BUG-000142922 Incomplete permission changes in specific cases. — Portal for ArcGISCWE-269	5.4	Medium	2023-05-09
CVE-2023-25832	BUG-000148346 There is a Cross-Site Request Forgery (CSRF) vulnerability in Portal for ArcGIS. — Portal for ArcGISCWE-352	8.8	High	2023-05-09
CVE-2022-38203	The allowedProxyHosts property is not fully honored in ArcGIS Enterprise (10.8.1 and 10.7.1 only) — Portal for ArcGISCWE-918	7.5	High	2022-12-30
CVE-2022-38204	Reflected XSS vulnerability in Portal for ArcGIS (10.8.1 and 10.7.1 only) — ArcGIS EnterpriseCWE-79	6.1	Medium	2022-12-30
CVE-2022-38205	Portal for ArcGIS has a directory traversal vulnerability (10.9.1, 10.8.1 and 10.7.1 only) — ArcGIS EnterpriseCWE-23	8.6	High	2022-12-30
CVE-2022-38206	Reflected XSS vulnerability in Portal for ArcGIS (10.9.1, 10.8.1 and 10.7.1 only) — ArcGIS EnterpriseCWE-79	6.1	Medium	2022-12-30
CVE-2022-38207	Reflected XSS vulnerability in Portal for ArcGIS (10.8.1 and 10.7.1 only) — ArcGIS EnterpriseCWE-79	6.1	Medium	2022-12-30
CVE-2022-38208	Unvalidated redirect in Portal for ArcGIS — ArcGIS EnterpriseCWE-601	6.1	Medium	2022-12-30
CVE-2022-38209	Reflected XSS vulnerability in Portal for ArcGIS — ArcGIS QuickcaptureCWE-79	6.1	Medium	2022-12-30
CVE-2022-38210	HTML injection in accountswitcher-callback.html (10.9.1, 10.8.1 and 10.7.1 only) — ArcGIS EnterpriseCWE-80	6.1	Medium	2022-12-30
CVE-2022-38211	Server Side Request Forgery (SSRF) vulnerability in Portal for ArcGIS (10.9.1, 10.8.1 and 10.7.1 only) — ArcGIS EnterpriseCWE-918	7.5	High	2022-12-30
CVE-2022-38212	Server Side Request Forgery (SSRF) vulnerability in Portal for ArcGIS (10.8.1 and 10.7.1 only) — ArcGIS EnterpriseCWE-918	7.5	High	2022-12-30
CVE-2022-38202	BUG-000152121 - Directory traversal vulnerability in ArcGIS Server. — ArcGIS ServerCWE-23	7.5	High	2022-12-28
CVE-2022-38201	An unvalidated redirect vulnerability exists in Esri ArcGIS Quick Capture Web Designer versions 10.8.1 to 10.9.1. — ArcGIS QuickcaptureCWE-601	6.1	Medium	2022-11-15
CVE-2022-38195	BUG-000150540 - Reflected XSS vulnerability in ArcGIS Server — ArcGIS ServerCWE-79	6.1	Medium	2022-10-25
CVE-2022-38196	BUG-000150537 - ArcGIS Server has a local file inclusion (LFI) vulnerability — ArcGIS ServerCWE-22	6.5	Medium	2022-10-25
CVE-2022-38197	BUG-000148347 Unvalidated redirect issues in ArcGIS Server. — ArcGIS ServerCWE-601	6.1	Medium	2022-10-25
CVE-2022-38198	BUG-000146513 - Reflected XSS vulnerability in ArcGIS Server — ArcGIS ServerCWE-79	6.1	Medium	2022-10-25
CVE-2022-38199	BUG-000144172 - Remote file download issue in ArcGIS Server — ArcGIS ServerCWE-494	6.1	Medium	2022-10-25
CVE-2022-38200	BUG-000142376 - Reflected Cross-Site Scripting (XSS) vulnerability in ArcGIS Server. — ArcGIS ServerCWE-79	6.1	Medium	2022-10-25
CVE-2022-38189	There is a stored cross-site scripting (XSS) vulnerability in ArcGIS API for JavaScript. — Portal for ArcGISCWE-79	5.4	Medium	2022-08-16
CVE-2022-38184	There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 — Portal for ArcGISCWE-284	7.5	High	2022-08-16
CVE-2022-38192	There is a stored cross-site scripting (XSS) vulnerability in ArcGIS API for JavaScript. — Portal for ArcGISCWE-79	6.1	Medium	2022-08-16
CVE-2022-38193	Code injection issue in Portal for ArcGIS (10.7.1 and 10.8.1) — Portal for ArcGISCWE-95	6.1	Medium	2022-08-16
CVE-2022-38194	Portal for ArcGIS system properties are not properly encrypted (10.8.1 only) — Portal for ArcGISCWE-311	6.7	Medium	2022-08-16
CVE-2022-38191	HTML injection vulnerability in Portal for ArcGIS — Portal for ArcGISCWE-74	6.1	Medium	2022-08-15
CVE-2022-38187	Prevent access to sharing/rest/content/features/analyze to unauthorized users — Portal for ArcGISCWE-918	7.5	High	2022-08-15
CVE-2022-38188	Esri Portal For ArcGis 跨站脚本漏洞 — Portal for ArcGISCWE-79	6.1	-	2022-08-15

This page lists every published CVE security advisory associated with Esri. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Esri — Vulnerabilities & Security Advisories 147