Esri has released security patches to address serious vulnerabilities in ArcGIS for Server and the Web Adaptor for IIS (the Web Adaptor for the Java platform is unaffected by these vulnerabilities). The affected versions are 10.1 through to 10.2.2.
We strongly recommend all customers running relevant versions of the software download and apply these patches as soon as possible if they haven't done so already.
The ArcGIS Web Adaptor Security Patch fixes the following issues:
NIM102891 – ArcGIS Web Adaptor on IIS does not enforce authorization on a restricted URL
NIM102631 – ArcGIS Web Adaptor on IIS contains a cross-site scripting (XSS) vulnerability
The ArcGIS for Server Security Patch fixes the following issues:
NIM102197 - Unauthorized access to some resources from secured services is possible in certain circumstances. This occurs in ArcGIS for Server 10.2, 10.2.1, and 10.2.2
NIM102939 - Multiple stored cross-site scripting (XSS) vulnerabilities found. This occurs in ArcGIS for Server 10.1, 10.1 SP1, 10.2, 10.2.1, and 10.2.2