| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
Computer vulnerabilities of ArcGIS for Server
ESRI ArcGIS for Server: code execution via Java rmid
Synthesis of the vulnerability
An attacker can use a vulnerability via Java rmid of ESRI ArcGIS for Server, in order to run code.
Impacted products: ArcGIS for Server.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: intranet client.
Creation date: 11/10/2017.
Identifiers: VIGILANCE-VUL-24098.
Description of the vulnerability
An attacker can use a vulnerability via Java rmid of ESRI ArcGIS for Server, in order to run code.
Full Vigil@nce bulletin... (Free trial) |
ESRI ArcGIS Server: multiple vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of ESRI ArcGIS Server.
Impacted products: ArcGIS for Server.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Creation date: 18/01/2017.
Identifiers: VIGILANCE-VUL-21617.
Description of the vulnerability
An attacker can use several vulnerabilities of ESRI ArcGIS Server.
Full Vigil@nce bulletin... (Free trial) |
ArcGIS for Desktop, Server: multiple Cross Site Scripting
Synthesis of the vulnerability
An attacker can trigger some Cross Site Scripting of ArcGIS for Desktop, Server, in order to execute JavaScript code in the context of the web site.
Impacted products: ArcGIS for Desktop, ArcGIS for Server.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 25/06/2015.
Identifiers: VIGILANCE-VUL-17236.
Description of the vulnerability
The ArcGIS for Desktop, Server product offers a web service.
However, it does not filter received data before storing them then inserting them in generated HTML documents.
An attacker can therefore trigger some Cross Site Scripting of ArcGIS for Desktop, Server, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial) |
ArcGIS for Server: two vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of ArcGIS for Server.
Impacted products: ArcGIS for Server.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 06/05/2015.
Identifiers: BUG-000084735, BUG-000084738, VIGILANCE-VUL-16827.
Description of the vulnerability
Several vulnerabilities were announced in ArcGIS for Server.
An attacker can trigger a Cross Site Scripting in ArcGIS, in order to execute JavaScript code in the context of the web site. [severity:2/4; BUG-000084738]
An attacker can trigger a Cross Site Scripting in Rest Services, in order to execute JavaScript code in the context of the web site. [severity:2/4; BUG-000084735]
Full Vigil@nce bulletin... (Free trial) |
ArcGIS for Server: multiple vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of ArcGIS for Server.
Impacted products: ArcGIS for Server.
Severity: 3/4.
Consequences: client access/rights, data reading, data creation/edition.
Provenance: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 09/02/2015.
Identifiers: CERTFR-2014-ALE-007, CVE-2014-3566, VIGILANCE-VUL-16132, VU#577193.
Description of the vulnerability
Several vulnerabilities were announced in ArcGIS for Server.
An attacker can trigger a Cross Site Scripting, in order to execute JavaScript code in the context of the web site. [severity:2/4]
An attacker can deceive the user, in order to redirect him to a malicious site. [severity:1/4]
An attacker can trigger a Cross Site Scripting, in order to execute JavaScript code in the context of the web site. [severity:2/4]
An attacker, located as a Man-in-the-Middle, can decrypt a SSL 3.0 session, in order to obtain sensitive information (VIGILANCE-VUL-15485). [severity:3/4; CERTFR-2014-ALE-007, CVE-2014-3566, VU#577193]
Full Vigil@nce bulletin... (Free trial) |
ArcGIS for Server: multiple vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of ArcGIS for Server.
Impacted products: ArcGIS for Server.
Severity: 2/4.
Consequences: client access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 12/12/2014.
Identifiers: VIGILANCE-VUL-15788.
Description of the vulnerability
Several vulnerabilities were announced in ArcGIS for Server.
An attacker can access to recently used tiles, in order to obtain sensitive information. [severity:2/4]
An attacker can trigger a Cross Site Scripting, in order to execute JavaScript code in the context of the web site. [severity:2/4]
Full Vigil@nce bulletin... (Free trial) |
OpenSSL: information disclosure via Heartbeat
Synthesis of the vulnerability
An attacker can use the Heartbeat protocol on an application compiled with OpenSSL, in order to obtain sensitive information, such as keys stored in memory.
Impacted products: Tomcat, ArubaOS, i-Suite, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, ARCserve Backup, ASA, Cisco Catalyst, IOS XE Cisco, Prime Infrastructure, Cisco PRSM, Cisco Router, Cisco CUCM, Cisco IP Phone, Cisco Unity ~ precise, XenDesktop, Clearswift Email Gateway, Clearswift Web Gateway, Debian, ECC, PowerPath, ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiClient, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeBSD, HP Diagnostics, LoadRunner, Performance Center, AIX, WebSphere MQ, IVE OS, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SA, Juniper UAC, LibreOffice, McAfee Email Gateway, ePO, GroupShield, McAfee NGFW, VirusScan, McAfee Web Gateway, Windows 8, Windows RT, MySQL Enterprise, NetBSD, OpenBSD, OpenSSL, openSUSE, Opera, Solaris, pfSense, HDX, RealPresence Collaboration Server, Polycom VBP, Puppet, RHEL, RSA Authentication Manager, SIMATIC, Slackware, Sophos AV, Splunk Enterprise, Stonesoft NGFW/VPN, stunnel, ASE, OfficeScan, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, VMware Player, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, VMware Workstation, Websense Email Security, Websense Web Filter, Websense Web Security.
Severity: 3/4.
Consequences: data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 08/04/2014.
Identifiers: 1669839, 190438, 2076225, 2962393, c04236102, c04267775, c04286049, CA20140413-01, CERTFR-2014-ALE-003, CERTFR-2014-AVI-156, CERTFR-2014-AVI-161, CERTFR-2014-AVI-162, CERTFR-2014-AVI-167, CERTFR-2014-AVI-169, CERTFR-2014-AVI-177, CERTFR-2014-AVI-178, CERTFR-2014-AVI-179, CERTFR-2014-AVI-180, CERTFR-2014-AVI-181, CERTFR-2014-AVI-198, CERTFR-2014-AVI-199, CERTFR-2014-AVI-213, cisco-sa-20140409-heartbleed, CTX140605, CVE-2014-0160, CVE-2014-0346-REJECT, DSA-2896-1, DSA-2896-2, emr_na-c04236102-7, ESA-2014-034, ESA-2014-036, ESA-2014-075, FEDORA-2014-4879, FEDORA-2014-4910, FEDORA-2014-4982, FEDORA-2014-4999, FG-IR-14-011, FreeBSD-SA-14:06.openssl, Heartbleed, HPSBMU02995, HPSBMU03025, HPSBMU03040, ICSA-14-105-03, JSA10623, MDVSA-2014:123, MDVSA-2015:062, NetBSD-SA2014-004, openSUSE-SU-2014:0492-1, openSUSE-SU-2014:0560-1, openSUSE-SU-2014:0719-1, pfSense-SA-14_04.openssl, RHSA-2014:0376-01, RHSA-2014:0377-01, RHSA-2014:0378-01, RHSA-2014:0396-01, RHSA-2014:0416-01, SA40005, SA79, SB10071, SOL15159, SPL-82696, SSA:2014-098-01, SSA-635659, SSRT101565, USN-2165-1, VIGILANCE-VUL-14534, VMSA-2014-0004, VMSA-2014-0004.1, VMSA-2014-0004.2, VMSA-2014-0004.3, VMSA-2014-0004.6, VMSA-2014-0004.7, VU#720951.
Description of the vulnerability
The Heartbeat extension of TLS (RFC 6520) provides a keep-alive feature, without performing a renegotiation. It exchanges random data in a payload.
Version 1.0.1 of OpenSSL implements Heartbeat, which is enabled by default. The [d]tls1_process_heartbeat() function manages Heartbeat messages. However, it does not check the size of random data, and continues to read after the end of the payload, and then sends the full memory area (up to 64kb) to the peer (client or server).
An attacker can therefore use the Heartbeat protocol on an application compiled with OpenSSL, in order to obtain sensitive information, such as keys stored in memory.
Full Vigil@nce bulletin... (Free trial) |
ArcGIS for Server: multiple vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of ArcGIS for Server.
Impacted products: ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server.
Severity: 2/4.
Consequences: client access/rights, data reading, data creation/edition, data deletion.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 06/09/2013.
Identifiers: 41468, 41497, 41498, BID-62691, BID-62889, CVE-2013-5221, CVE-2013-5222, CVE-2013-7231, CVE-2013-7232, NIM092795, NIM092820, NIM093227, NIM094447, VIGILANCE-VUL-13359.
Description of the vulnerability
Several vulnerabilities were announced in ArcGIS for Server.
An attacker can trigger a persistent Cross Site Scripting of Mobile Content Directory, in order to execute JavaScript code in the context of the web site. [severity:2/4; 41468, BID-62889, CVE-2013-5222, CVE-2013-7231, NIM092820]
An attacker can trigger a non-persistent Cross Site Scripting, in order to execute JavaScript code in the context of the web site. [severity:2/4; 41498, BID-62889, CVE-2013-5222, NIM093227]
An administrator can upload any file type on the server. [severity:2/4; 41497, BID-62691, CVE-2013-5221, NIM092795]
An attacker can use a SQL injection in the Map/Feature service, in order to read or alter data. [severity:2/4; CVE-2013-7232, NIM094447]
Full Vigil@nce bulletin... (Free trial) |
ArcGIS Server: SQL injection
Synthesis of the vulnerability
An attacker can use a SQL injection in ArcGIS Server, in order to read or alter data.
Impacted products: ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 15/05/2013.
Identifiers: NIM084249, VIGILANCE-VUL-12830.
Description of the vulnerability
The ArcGIS Server product allows users to perform a search on maps.
However, user's data are directly inserted in a SQL query.
An attacker can therefore use a SQL injection in ArcGIS Server, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial) |
ArcGIS: information leak about database tables
Synthesis of the vulnerability
An attacker who causes a server side error, can get information about the database schema.
Impacted products: ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 16/11/2012.
Identifiers: NIM085361, VIGILANCE-VUL-12168.
Description of the vulnerability
ArcGIS uses a relational database.
An attacker who causes a server side error, can get information about the database schema.
Full Vigil@nce bulletin... (Free trial) |
Our database contains other pages. You can request a free trial to read them.
Display information about ArcGIS for Server:
|