CVE-2022-38201 Esri Portal for ArcGIS Quick Capture Web Designer has an unvalidated redirect vulnerability.
To exploit this issue, an attacker would need to convince an authenticated user to visit a malicious web site while ArcGIS Quick Capture Web Designer is enabled. An attacker can leverage social engineering or application vulnerabilities to target users. Esri recommends that before enabling ArcGIS Quick Capture Web Designer, users should carefully consider the purpose of the web application and ensure that it meets their organizational needs. Esri recommends that users consider the following before enabling ArcGIS Quick Capture Web Designer: - ArcGIS Quick Capture Web Designer can be used to capture, view, or edit data from a wide array of web-based applications. - ArcGIS Quick Capture Web Designer can be used by users across the organization. - There is no security boundary between the ArcGIS Quick Capture Web Designer service and the ArcGIS Server environment. - Esri ArcGIS Server and ArcGIS Quick Capture Web Designer are actively being exploited by malicious attackers. Esri recommends that users take the following precautions to protect ArcGIS Quick Capture Web Designer. - Esri recommends that users consider the following before enabling ArcGIS Quick Capture Web Designer: - ArcGIS Quick Capture Web Designer can be used to capture, view, or edit data from a wide array of web-based applications. - ArcGIS Quick Capture Web Designer can be used by users across the organization
ArcGIS Quick Capture Web Designer can be used by users across the organization
This is a common issue that users of ArcGIS Quick Capture Web Designer should be aware of. Users should think about the purpose of the web application and ensure that it meets their organizational needs before enabling ArcGIS Quick Capture Web Designer.
ArcGIS Quick Capture Web Designer Behaviour\u2014How to detect?
A malicious user may be able to exploit ArcGIS Quick Capture Web Designer and access data stored on the ArcGIS Server. The attacker can leverage social engineering or application vulnerabilities to target users.
Esri recommends that before enabling ArcGIS Quick Capture Web Designer, users should carefully consider the purpose of the web application and ensure that it meets their organizational needs. Esri recommends that users consider the following before enabling ArcGIS Quick Capture Web Designer:
Timeline
Published on: 11/15/2022 21:15:00 UTC
Last modified on: 11/21/2022 17:02:00 UTC