CVE-2015-2838: CSRF
First published: Fri Apr 03 2015(Updated: )
Cross-site request forgery (CSRF) vulnerability in Nitro API in Citrix NetScaler before 10.5 build 52.3nc allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary commands as nsroot via shell metacharacters in the file_name JSON member in params/xen_hotfix/0 to nitro/v1/config/xen_hotfix.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Citrix NetScaler | =10.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/130937/Citrix-NITRO-SDK-Command-Injection.html
- http://seclists.org/fulldisclosure/2015/Mar/129
- http://www.securityfocus.com/archive/1/534936/100/0/threaded
- http://www.securityfocus.com/bid/73358
- https://www.exploit-db.com/exploits/36442/
- https://www.securify.nl/advisory/SFY20140806/command_injection_vulnerability_in_citrix_nitro_sdk_xen_hotfix_page.html
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- vendor/citrix
- canonical/citrix netscaler
- version/citrix netscaler/10.5