CVE-2024-51962

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-51962

8.7 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

A

SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non‑administrative privileges. Exploitation is restricted to users with advanced application‑specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability.

References
Link Resource
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*
History

06 Feb 2026, 07:16

Type Values Removed Values Added
Summary (en) A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify Column properties allowing for the execution of a SQL Injection by a remote authenticated user with elevated (non admin) privileges.  There is a high impact to integrity and confidentiality and no impact to availability. (en) A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non‑administrative privileges. Exploitation is restricted to users with advanced application‑specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability.

06 Mar 2025, 14:34

Type Values Removed Values Added
First Time Esri
Esri arcgis Server
CPE cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*
References () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ - () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ - Vendor Advisory
Summary
  • (es) Una vulnerabilidad de inyección SQL en ArcGIS Server permite que una operación EDIT modifique las propiedades de las columnas, lo que permite la ejecución de una inyección SQL por parte de un usuario autenticado remoto con privilegios elevados (no administrativos). Esto tiene un gran impacto en la integridad y la confidencialidad, pero no en la disponibilidad.

03 Mar 2025, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-03 20:15

Updated : 2026-02-13 19:41

NVD link : CVE-2024-51962

Mitre link : CVE-2024-51962

CVE.ORG link : CVE-2024-51962

JSON object : View

Products Affected

esri

CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')