Citrix XenServer XenAPI HTTP Interfaces Cross-Site Scripting Vulnerability

Bugtraq ID:	30265
Class:	Input Validation Error
CVE:	CVE-2008-3253
Remote:	Yes
Local:	No
Published:	Jul 16 2008 12:00AM
Updated:	May 07 2015 05:27PM
Credit:	TEPCO
Vulnerable:	Citrix XenServer HP Integrated Select 4.1 Citrix XenServer HP Integrated Enterprise 4.1 Citrix XenServer Express Standard Edition 4.1 Citrix XenServer Express Enterprise Edition 4.1 Citrix XenServer Dell Edition Express 4.1 Citrix XenServer Dell Edition Enterprise 4.1 Citrix XenServer 4.1
Not Vulnerable:

Citrix XenServer XenAPI HTTP Interfaces Cross-Site Scripting Vulnerability

Citrix XenServer is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Citrix XenServer 4.1.0 is vulnerable.

Citrix XenServer XenAPI HTTP Interfaces Cross-Site Scripting Vulnerability

Attackers can exploit this issue by enticing an unsuspecting user to follow a malicious URI.

Citrix XenServer XenAPI HTTP Interfaces Cross-Site Scripting Vulnerability

Solution:
Citrix has released a hotfix that can be downloaded by issuing a 'Check for Updates' request from the XenCenter GUI.

Citrix XenServer XenAPI HTTP Interfaces Cross-Site Scripting Vulnerability

References:

• Citrix Homepage (Citrix)
  
• Citrix Security Bulletins (Citrix)
  
• Citrix Technical Support (Citrix)
  
• CTX117814 - Cross-site scripting vulnerability in XenServer XenAPI HTTP Interfac (Citrix)