Vulnerability CVE-2015-2838
Published: 2015-04-03

Description:
Cross-site request forgery (CSRF) vulnerability in Nitro API in Citrix NetScaler before 10.5 build 52.3nc allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary commands as nsroot via shell metacharacters in the file_name JSON member in params/xen_hotfix/0 to nitro/v1/config/xen_hotfix.

Type:

CWE-352

 (Cross-Site Request Forgery (CSRF))

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Citrix -> Netscaler 

 References:
http://packetstormsecurity.com/files/130937/Citrix-NITRO-SDK-Command-Injection.html
http://seclists.org/fulldisclosure/2015/Mar/129
http://www.securityfocus.com/archive/1/534936/100/0/threaded
http://www.securityfocus.com/bid/73358
https://www.exploit-db.com/exploits/36442/
https://www.securify.nl/advisory/SFY20140806/command_injection_vulnerability_in_citrix_nitro_sdk_xen_hotfix_page.html
Copyright 2024, cxsecurity.com

 

Back to Top