Vulnerabilities > Esri > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-03-03 | CVE-2024-51962 | SQL Injection vulnerability in Esri Arcgis Server 10.9.1/11.1 A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify Column properties allowing for the execution of a SQL Injection by a remote authenticated user with elevated (non admin) privileges. There is a high impact to integrity and confidentiality and no impact to availability. | 9.6 |
| 2024-04-04 | CVE-2024-25693 | Unspecified vulnerability in Esri Portal for Arcgis There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. | 9.9 |
| 2022-08-16 | CVE-2022-38193 | Code Injection vulnerability in Esri Portal for Arcgis There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution. | 9.6 |
| 2021-12-07 | CVE-2021-29114 | SQL Injection vulnerability in Esri Arcgis Server A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries. | 9.8 |
| 2021-07-11 | CVE-2021-29102 | Server-Side Request Forgery (SSRF) vulnerability in Esri Arcgis Server A Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote, unauthenticated attacker to forge GET requests to arbitrary URLs from the system, potentially leading to network enumeration or facilitating other attacks. | 9.1 |
| 2020-12-26 | CVE-2020-35712 | Server-Side Request Forgery (SSRF) vulnerability in Esri Arcgis Server Esri ArcGIS Server before 10.8 is vulnerable to SSRF in some configurations. | 9.8 |
| 2018-03-29 | CVE-2015-2002 | Range Error vulnerability in Esri Arcgisruntime SDK The ESRI ArcGis Runtime SDK before 10.2.6-2 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function. | 9.8 |