Prior to version 10.9.0, the sharing/rest/content/features/analyze endpoint is always accessible to anonymous users, which could allow an unauthenticated attacker to induce Esri Portal for ArcGIS to read arbitrary URLs.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Portal_for_arcgis | Esri | * | 10.9 (excluding) |