CVE-2022-38195 - Vulnerability Details - OpenCVE

There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthorized attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Esri	Arcgis Server

Configuration 1 [-]

cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch

History

Thu, 10 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Esri

Published: 2022-10-25T16:32:09.865Z

Updated: 2025-04-10T14:55:37.078Z

Reserved: 2022-08-12T00:00:00.000Z

Link: CVE-2022-38195

Vulnrichment

Updated: 2024-08-03T10:45:52.896Z

NVD

Status : Modified

Published: 2022-10-25T17:15:55.257

Modified: 2024-11-21T07:15:58.737

Link: CVE-2022-38195

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-38195", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "assignerShortName": "Esri", "datePublished": "2022-10-25T16:32:09.865Z", "dateUpdated": "2025-04-10T14:55:37.078Z", "dateReserved": "2022-08-12T00:00:00.000Z"}, "containers": {"cna": {"title": "BUG-000150540 - Reflected XSS vulnerability in ArcGIS Server", "datePublic": "2022-08-17T00:00:00.000Z", "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2022-10-25T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthorized attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim\u2019s browser."}], "affected": [{"vendor": "Esri", "product": "ArcGIS Server", "versions": [{"version": "All", "status": "affected", "lessThanOrEqual": "10.9.1", "versionType": "custom"}], "platforms": ["x64"]}], "references": [{"url": "https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch"}], "credits": [{"lang": "en", "value": "Simone La Porta"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-79 Cross-site Scripting (XSS)", "cweId": "CWE-79"}]}], "x_generator": {"engine": "vulnogram 0.1.0-rc1"}, "source": {"defect": ["BUG-000150540"], "discovery": "EXTERNAL"}, "solutions": [{"lang": "en", "value": "Install ArcGIS Server Security 2022 Update 1 Patch https://support.esri.com/en/download/8043"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:45:52.896Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-10T14:49:41.441797Z", "id": "CVE-2022-38195", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T14:55:37.078Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:45:52.896Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-38195", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-10T14:49:41.441797Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T14:49:43.370Z"}}], "cna": {"title": "BUG-000150540 - Reflected XSS vulnerability in ArcGIS Server", "source": {"defect": ["BUG-000150540"], "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Simone La Porta"}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Esri", "product": "ArcGIS Server", "versions": [{"status": "affected", "version": "All", "versionType": "custom", "lessThanOrEqual": "10.9.1"}], "platforms": ["x64"]}], "solutions": [{"lang": "en", "value": "Install ArcGIS Server Security 2022 Update 1 Patch https://support.esri.com/en/download/8043"}], "datePublic": "2022-08-17T00:00:00.000Z", "references": [{"url": "https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch"}], "x_generator": {"engine": "vulnogram 0.1.0-rc1"}, "descriptions": [{"lang": "en", "value": "There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthorized attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim\u2019s browser."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2022-10-25T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-38195", "state": "PUBLISHED", "dateUpdated": "2025-04-10T14:55:37.078Z", "dateReserved": "2022-08-12T00:00:00.000Z", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "datePublished": "2022-10-25T16:32:09.865Z", "assignerShortName": "Esri"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "5AFAD746-E495-4E4C-9256-17C1A06ADEB9", "versionEndIncluding": "10.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthorized attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim\u2019s browser."}, {"lang": "es", "value": "Se presenta un problema de tipo cross site scripting reflejado en Esri ArcGIS Server versiones 10.9.1 y posteriores, que puede permitir a un atacante remoto no autorizado convencer a un usuario de que haga clic en un enlace dise\u00f1ado que podr\u00eda ejecutar c\u00f3digo JavaScript arbitrario en el navegador de la v\u00edctima"}], "id": "CVE-2022-38195", "lastModified": "2024-11-21T07:15:58.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "psirt@esri.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-25T17:15:55.257", "references": [{"source": "psirt@esri.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch"}], "sourceIdentifier": "psirt@esri.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@esri.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}