6.8
CVE-2015-2838
- EPSS 2.88%
- Veröffentlicht 03.04.2015 14:59:01
- Zuletzt bearbeitet 06.05.2026 22:30:45
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Cross-site request forgery (CSRF) vulnerability in Nitro API in Citrix NetScaler before 10.5 build 52.3nc allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary commands as nsroot via shell metacharacters in the file_name JSON member in params/xen_hotfix/0 to nitro/v1/config/xen_hotfix.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.88% | 0.85 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
http://packetstormsecurity.com/files/130937/Citrix-NITRO-SDK-Command-Injection.html
http://seclists.org/fulldisclosure/2015/Mar/129
http://www.securityfocus.com/archive/1/534936/100/0/threaded
http://www.securityfocus.com/bid/73358
https://www.exploit-db.com/exploits/36442/
https://www.securify.nl/advisory/SFY20140806/command_injection_vulnerability_in_citrix_nitro_sdk_xen_hotfix_page.html