ArcGIS Server, a popular tool for sharing geographic information via web services, helps power maps for organizations large and small. In versions 10.8.1 and 10.7.1, a Cross Site Scripting (XSS) vulnerability was discovered, now tracked as CVE-2022-38200. If you use these versions, you may be at risk!
This detailed post will help you understand what this vulnerability means, how it could be exploited, and how to protect your maps and your users.
What is CVE-2022-38200?
CVE-2022-38200 is a Cross Site Scripting (XSS) vulnerability. In simple terms: If an attacker sends a specially crafted URL or web request to certain map service endpoints on a vulnerable ArcGIS Server, they can make a victim’s web browser run malicious JavaScript code. This happens because user input isn’t properly sanitized before being reflected back on the web page.
Where’s the Bug?
It specifically affects map service configurations that expose certain API responses or interactive map features, especially those handling query or info requests.
Suppose your map service provides a query API endpoint like
https://YOUR-SERVER/arcgis/rest/services/<ServiceName>/MapServer//query
Some parameters (like f, where, or others) could be reflected in the response if not properly handled.
If vulnerable, a GET request like this might cause trouble
https://yourserver.com/arcgis/rest/services/example/MapServer//query?f=html&where=1=1<SCRIPT>alert('Hack!')</SCRIPT>;
If ArcGIS Server returns the value of where in the HTML response without proper escaping, the <SCRIPT> tag is executed in the user’s browser.
Below is a generic cURL request that sends a malicious payload
curl "https://yourserver.com/arcgis/rest/services/example/MapServer//query?f=html&where=1=1%3Cscript%3Ealert('XSS')%3C/script%3E";
If you open the resulting page in your browser and see an alert box, your server is vulnerable.
Or, in pseudo-JavaScript you might see
// Response snippet that the attacker triggers
<p>Query results for: 1=1<script>alert('XSS')</script></p>
Run exploits on behalf of your users
Because ArcGIS Server often runs inside corporate or public map portals, a successful attack could have widespread impact.
1. Upgrade Immediately
Esri released a patch addressing this issue. Always use the latest supported version.
- ArcGIS Security Updates
2. Validate & Sanitize Inputs
Don’t trust user input anywhere in your map service configurations. Ensure all reflected parameters are properly escaped.
3. Disable Unused Services
Limit public access to only necessary map services. Restrict the rest inside your firewall.
4. Web Application Firewall (WAF)
Consider adding a WAF to help catch obvious XSS attempts.
5. Content Security Policy
Set CSP headers to minimize script execution where possible.
Reference Links
- NVD Entry for CVE-2022-38200
- Esri Official Security Advisory
- OWASP XSS Explanation
Final Thoughts
CVE-2022-38200 is a reminder that even powerful GIS tools like ArcGIS Server can have weaknesses, especially when dealing with user input. Patch early, patch often—and always keep security in mind when exposing web services.
Do you have questions about hardening your ArcGIS environments or responsibly testing for XSS? Let me know below!
Timeline
Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/31/2022 13:40:00 UTC