CVE-2015-2838
Summary
| CVE | CVE-2015-2838 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2015-04-03 14:59:00 UTC |
| Updated | 2018-10-09 19:56:00 UTC |
| Description | Cross-site request forgery (CSRF) vulnerability in Nitro API in Citrix NetScaler before 10.5 build 52.3nc allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary commands as nsroot via shell metacharacters in the file_name JSON member in params/xen_hotfix/0 to nitro/v1/config/xen_hotfix. |
Risk And Classification
Problem Types: CWE-352
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Citrix NITRO SDK - Command Injection Vulnerability | EXPLOIT-DB | www.exploit-db.com | |
| Full Disclosure: Command injection vulnerability in Citrix NITRO SDK xen_hotfix page | FULLDISC | seclists.org | |
| Securify | MISC | www.securify.nl | Exploit |
| SecurityFocus | BUGTRAQ | www.securityfocus.com | |
| Citrix NITRO SDK Command Injection ≈ Packet Storm | MISC | packetstormsecurity.com | Exploit |
| Citrix NetScaler 'xen_hotfix' Page Command Injection Vulnerability | BID | www.securityfocus.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.