The ArcGIS Server Security 2019 Update 2 Patch is presently live on the support page site. The URL is:
This security fix tends to various security vulnerabilities found in ArcGIS Server. Esri suggests that clients utilizing ArcGIS Server 10.7.1, 10.6.1, 10.5.1, and 10.4.1 apply this fix.
Issues Addressed with this fix include:
• BUG-000125044 – Hosted highlight administration has a put away cross-site scripting (XSS) weakness. (10.7.1 and 10.6.1 as it were)
CVSS 3.0 Base Score: 4.6 – CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
• BUG-000123103 – ArcGIS Server inappropriately handles an inaccurate CORS root.
CVSS 3.0 Base Score: 4.2 – CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
• BUG-000124991 – ArcGIS Server neglects to completely import root or middle of the road declarations. (10.7.1 and 10.6.1 as it were)
See fix page for rundown of aggregate issues.