Esri's ArcGIS server version 10.1 contains a blind SQL injection vulnerability that allows remote attackers to execute a subset of SQL commands via a query operation where clause.
The Esri ArcGIS server version 10.1 contains a blind SQL injection vulnerability (CWE-89) for REST service queries. The where form field when constructing a query does not properly sanitize SQL commands from the input.
A remote authenticated attacker may be able to run a subset of SQL commands against the back-end database.
Apply an Update
Disable the query
Thank you to the reporter that wishes to remain anonymous.
This document was written by Jared Allar.
|Date First Published:||2012-11-09|
|Date Last Updated:||2012-11-19 16:05 UTC|