HomePentest-Tools.com Logo

Citrix NetScaler < 10.5 build 52.3nc Multiple Vulnerabilities CVE-2015-2840CVE-2015-2838CVE-2015-2839

Severity
Not available
CVSSv3 Score
Not available
Vulnerability description

Citrix NetScaler VPX is prone to multiple cross-site scripting vulnerabilities and a cross-site request forgery (CSRF) vulnerability because the application fails to properly sanitize user-supplied input.

Risk description

The following vulnerabilities exist: - CVE-2015-2840: Cross-site scripting (XSS) vulnerability in help/rt/large_search.html allows remote attackers to inject arbitrary web script or HTML via the searchQuery parameter. - CVE-2015-2839: The Nitro API uses an incorrect Content-Type when returning an error message, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the file_name JSON member in params/xen_hotfix/0 to nitro/v1/config/xen_hotfix. - CVE-2015-2838: Cross-site request forgery (CSRF) vulnerability in Nitro API allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary commands as nsroot via shell metacharacters in the file_name JSON member in params/xen_hotfix/0 to nitro/v1/config/xen_hotfix. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authenticationcredentials and launch other attacks.

Recommendation

Update to 10.5 build 52.3nc or later.

Codename
Not available
Detectable with
Network Scanner
Scan engine
OpenVAS
Exploitable with Sniper
No
CVE Published
Apr 3, 2015
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available