5.9 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.006 Low
EPSS
Percentile
77.6%
The Nitro API in Citrix NetScaler before 10.5 build 52.3nc uses an incorrect Content-Type when returning an error message, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the file_name JSON member in params/xen_hotfix/0 to nitro/v1/config/xen_hotfix.
CPE | Name | Operator | Version |
---|---|---|---|
citrix:netscaler | citrix netscaler | eq | 10.5 |
packetstormsecurity.com/files/130931/Citrix-NITRO-SDK-xen_hotfix-Cross-Site-Scripting.html
seclists.org/fulldisclosure/2015/Mar/128
www.securityfocus.com/archive/1/534935/100/0/threaded
www.securityfocus.com/bid/73311
www.securify.nl/advisory/SFY20140805/citrix_nitro_sdk_xen_hotfix_page_is_vulnerable_to_cross_site_scripting.html