Search criteria
4 vulnerabilities found for ArcGIS Quickcapture by Esri
CVE-2022-38209 (GCVE-0-2022-38209)
Vulnerability from cvelistv5 – Published: 2022-12-30 05:13 – Updated: 2025-04-10 14:53
VLAI
Title
Reflected XSS vulnerability in Portal for ArcGIS
Summary
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victim’s browser.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Esri | ArcGIS Quickcapture |
Affected:
Portal for ArcGIS , ≤ 10.9.1
(custom)
|
Date Public
2022-12-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:45:52.975Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2022-update-2-patch-is-now-available"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-38209",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T14:49:20.536797Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T14:53:41.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"x64"
],
"product": "ArcGIS Quickcapture",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "10.9.1",
"status": "affected",
"version": "Portal for ArcGIS",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-12-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victim\u2019s browser."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-29T00:00:00.000Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2022-update-2-patch-is-now-available"
}
],
"source": {
"defect": [
"BUG-000152437"
],
"discovery": "EXTERNAL"
},
"title": "Reflected XSS vulnerability in Portal for ArcGIS",
"x_generator": {
"engine": "vulnogram 0.1.0-rc1"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2022-38209",
"datePublished": "2022-12-30T05:13:00.217Z",
"dateReserved": "2022-08-12T00:00:00.000Z",
"dateUpdated": "2025-04-10T14:53:41.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-38201 (GCVE-0-2022-38201)
Vulnerability from cvelistv5 – Published: 2022-11-15 00:00 – Updated: 2025-04-10 14:55
VLAI
Title
An unvalidated redirect vulnerability exists in Esri ArcGIS Quick Capture Web Designer versions 10.8.1 to 10.9.1.
Summary
An unvalidated redirect vulnerability exists in Esri Portal for ArcGIS Quick Capture Web Designer versions 10.8.1 to 10.9.1. A remote, unauthenticated attacker can potentially induce an unsuspecting authenticated user to access an an attacker controlled domain.
Severity
6.1 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Esri | ArcGIS Quickcapture |
Affected:
10.8.1 , ≤ 10.9.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:45:52.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.esri.com/arcgis-blog/products/product/uncategorized/portal-for-arcgis-quick-capture-security-patch-is-now-available"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-38201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T14:49:38.659723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T14:55:25.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"x64"
],
"product": "ArcGIS Quickcapture",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "10.9.1",
"status": "affected",
"version": "10.8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Hussein Bahmad"
}
],
"descriptions": [
{
"lang": "en",
"value": "An unvalidated redirect vulnerability exists in Esri Portal for ArcGIS Quick Capture Web Designer versions 10.8.1 to 10.9.1. A remote, unauthenticated attacker can potentially induce an unsuspecting authenticated user to access an an attacker controlled domain."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00.000Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/product/uncategorized/portal-for-arcgis-quick-capture-security-patch-is-now-available"
}
],
"source": {
"defect": [
"BUG-000145824"
],
"discovery": "EXTERNAL"
},
"title": "An unvalidated redirect vulnerability exists in Esri ArcGIS Quick Capture Web Designer versions 10.8.1 to 10.9.1.",
"x_generator": {
"engine": "vulnogram 0.1.0-rc1"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2022-38201",
"datePublished": "2022-11-15T00:00:00.000Z",
"dateReserved": "2022-08-12T00:00:00.000Z",
"dateUpdated": "2025-04-10T14:55:25.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-38209 (GCVE-0-2022-38209)
Vulnerability from nvd – Published: 2022-12-30 05:13 – Updated: 2025-04-10 14:53
VLAI
Title
Reflected XSS vulnerability in Portal for ArcGIS
Summary
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victim’s browser.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Esri | ArcGIS Quickcapture |
Affected:
Portal for ArcGIS , ≤ 10.9.1
(custom)
|
Date Public
2022-12-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:45:52.975Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2022-update-2-patch-is-now-available"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-38209",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T14:49:20.536797Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T14:53:41.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"x64"
],
"product": "ArcGIS Quickcapture",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "10.9.1",
"status": "affected",
"version": "Portal for ArcGIS",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-12-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victim\u2019s browser."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-29T00:00:00.000Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2022-update-2-patch-is-now-available"
}
],
"source": {
"defect": [
"BUG-000152437"
],
"discovery": "EXTERNAL"
},
"title": "Reflected XSS vulnerability in Portal for ArcGIS",
"x_generator": {
"engine": "vulnogram 0.1.0-rc1"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2022-38209",
"datePublished": "2022-12-30T05:13:00.217Z",
"dateReserved": "2022-08-12T00:00:00.000Z",
"dateUpdated": "2025-04-10T14:53:41.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-38201 (GCVE-0-2022-38201)
Vulnerability from nvd – Published: 2022-11-15 00:00 – Updated: 2025-04-10 14:55
VLAI
Title
An unvalidated redirect vulnerability exists in Esri ArcGIS Quick Capture Web Designer versions 10.8.1 to 10.9.1.
Summary
An unvalidated redirect vulnerability exists in Esri Portal for ArcGIS Quick Capture Web Designer versions 10.8.1 to 10.9.1. A remote, unauthenticated attacker can potentially induce an unsuspecting authenticated user to access an an attacker controlled domain.
Severity
6.1 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Esri | ArcGIS Quickcapture |
Affected:
10.8.1 , ≤ 10.9.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:45:52.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.esri.com/arcgis-blog/products/product/uncategorized/portal-for-arcgis-quick-capture-security-patch-is-now-available"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-38201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T14:49:38.659723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T14:55:25.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"x64"
],
"product": "ArcGIS Quickcapture",
"vendor": "Esri",
"versions": [
{
"lessThanOrEqual": "10.9.1",
"status": "affected",
"version": "10.8.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Hussein Bahmad"
}
],
"descriptions": [
{
"lang": "en",
"value": "An unvalidated redirect vulnerability exists in Esri Portal for ArcGIS Quick Capture Web Designer versions 10.8.1 to 10.9.1. A remote, unauthenticated attacker can potentially induce an unsuspecting authenticated user to access an an attacker controlled domain."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00.000Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"url": "https://www.esri.com/arcgis-blog/products/product/uncategorized/portal-for-arcgis-quick-capture-security-patch-is-now-available"
}
],
"source": {
"defect": [
"BUG-000145824"
],
"discovery": "EXTERNAL"
},
"title": "An unvalidated redirect vulnerability exists in Esri ArcGIS Quick Capture Web Designer versions 10.8.1 to 10.9.1.",
"x_generator": {
"engine": "vulnogram 0.1.0-rc1"
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2022-38201",
"datePublished": "2022-11-15T00:00:00.000Z",
"dateReserved": "2022-08-12T00:00:00.000Z",
"dateUpdated": "2025-04-10T14:55:25.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}