Check Point Advisories

Update Protection against Citrix XenCenterWeb Cross Site Scripting Vulnerabilities

Check Point Reference: CPAI-2009-213
Date Published: 24 Jul 2009
Severity: High
Last Updated: Thursday 01 January, 2009
Source: SecurityFocus
Industry Reference:N/A
Protection Provided by:
Who is Vulnerable? Citrix XenCenterWeb
Vulnerability Description Citrix XenCenterWeb is a web interface for Citrix XenServer environment management. Lack of sanitization in the username parameter may allow an attacker to access the Citrix XENCenter management console with javascript embedded in the username parameter.
Update/Patch AvaliableNo patch is currently available from Citrix.
Vulnerability DetailsXenCenterWeb allows users to see a list of Virtual Machines in the Resource Pool, perform life-cycle actions (start, shutdown, restart, etc.), get basic information about the hosts in the Resource Pools, information about the VMs and also connect to the console of the VMs. Lack of sanitization in the username parameter in edituser.php script allows an attacker to perform cross site scripting attacks on an affected system.

Protection Overview

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK