Citrix XenServer Virtual Switch Controller
Version: 6.0.1 and earlier
Severity level: Medium
Access Vector: Network exploitable
Base Score: 4.3
CVE: not assigned
Positive Research Center has discovered an URL redirector abuse in Citrix XenServer Virtual Switch Controller.
URL redirector (GET parameter last_page of the login page) allows forwarding to an arbitrary location. It allows an attacker to conduct a phishing attack.
Update your software up to the latest version
10.11.2011 - Vendor is notified
10.11.2011 - Vendor gets vulnerability details
13.03.2012 - Vendor releases fixed version and details
27.03.2012 - Public disclosure
The vulnerability was discovered by Kirill Mosolov, Maxim Tsoy, Positive Research Center (Positive Technologies Company)
Reports on the vulnerabilities previously discovered by Positive Research: