| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Internet Connection Sharing (ICS) Denial of Service Vulnerability |
| Windows Active Directory Domain Services API Denial of Service Vulnerability |
| There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.2 and below that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item, which could potentially execute arbitrary JavaScript code in a victim’s browser. Exploitation does not require any privileges and can be performed by an anonymous user. |
| There is a cross‑site scripting (XSS) vulnerability in Esri Portal for ArcGIS Experience Builder versions 11.1 and below on Windows and Linux that allows a remote, authenticated attacker with low‑privileged access to create a crafted link which, when clicked, could potentially execute arbitrary JavaScript code in the victim’s browser. Exploitation requires basic authenticated access but does not require elevated or administrative privileges, indicating low privileges are required. |
| There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote, low‑privileged authenticated attacker to access secure services published to a standalone (unfederated) ArcGIS Server instance. Successful exploitation results in unauthorized access to protected services outside the attacker’s originally assigned authorization boundary, constituting a scope change. If exploited, this issue would have a high impact on confidentiality, a low impact on integrity, and no impact on the availability of the software. |
| There is a difficult‑to‑exploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 11.2 and below on Windows and Linux, and ArcGIS Enterprise versions 11.1 and below on Kubernetes, which under unique circumstances could allow a remote, authenticated attacker with low‑privileged access to compromise the confidentiality, integrity, and availability of the software. Successful exploitation allows the attacker to cross an authentication and authorization boundary beyond their originally assigned access, resulting in a scope change. |
| Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network. |
| Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally. |
| Buffer over-read in Windows NTFS allows an unauthorized attacker to disclose information locally. |
| Untrusted pointer dereference in Windows Subsystem for Linux allows an unauthorized attacker to execute code locally. |
| Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally. |
| Use after free in Microsoft Local Security Authority Server (lsasrv) allows an authorized attacker to elevate privileges locally. |
| Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network. |
| Heap-based buffer overflow in Microsoft Streaming Service allows an authorized attacker to elevate privileges locally. |
| Heap-based buffer overflow in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally. |
| Use after free in DNS Server allows an unauthorized attacker to execute code over a network. |
| Protection mechanism failure in Windows Mark of the Web (MOTW) allows an unauthorized attacker to bypass a security feature locally. |
| Incorrect conversion between numeric types in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. |
| Heap-based buffer overflow in Windows Telephony Server allows an unauthorized attacker to execute code over a network. |
| Out-of-bounds read in Windows USB Video Driver allows an authorized attacker to disclose information with a physical attack. |
