Open-source Geoportal Server Security Patch

We recently patched a Cross-Site-Scripting (XSS) vulnerability within Geoportal Server and posted the patch to GitHub. Current 1.2.7 installations should just apply the patch, whereas installations before 1.2.7 will need to upgrade to 1.2.7 and then apply this patch.  The actual XSS vulnerability is only of moderate risk, however we expect that the details for exploiting the vulnerability will likely be made publically available, and therefore recommend ensuring this patch is deployed in a timely manner.


This patch is only for the open-source Geoportal Server and not a vulnerability or patch related to the Esri commercial offering of Portal for ArcGIS.


Geoportal Server 1.2.7 Patch 1 – Available now

This entry was posted in Security and tagged , , . Bookmark the permalink.

Leave a Reply


  1. johnmdye says:

    Why is GeoPortal still a thing? Why can’t a modern web application like OpenData just be made available to Enterprises?

    • Hi John,
      Geoportal Server fills a niche of standards-based metadata catalogs implementing OGC/ISO specs to work in environments where not all users/participants have ArcGIS. We mentioned it in this security blog because we released a patch for it for organizations who are still using it. The Open Data on-prem desire is something best addressed in another blog, but we will forward your request to the Open Data team.