CVE-2009-3757 – citrix xencenterweb - Cross-Site Scripting / SQL Injection / Remote Code Execution
https://notcve.org/view.php?id=CVE-2009-3757
Multiple cross-site scripting (XSS) vulnerabilities in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to config/edituser.php; (2) location, (3) sessionid, and (4) vmname parameters to console.php; (5) vmrefid and (6) vmname parameters to forcerestart.php; and (7) vmname and (8) vmrefid parameters to forcesd.php. NOTE: some of these details are obtained from third party information. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en en el XenServer Resource Kit de Citrix XenCenterWeb, permite a atacantes remotos inyectar secuencias de comandos Web o HTML a través de (1) el parámetro username de config/edituser.php; (2) los parámetros location, (3) sessionid y (4) vmname de console.php; (5) los parámetros vmrefid y (6) vmname de forcerestart.php; y (7) los parámetros vmname (8) vmrefid de forcesd.php. NOTA: Algunos de estos detalles han sido obtenidos de fuentes externas. • https://www.exploit-db.com/exploits/9106 http://securenetwork.it/ricerca/advisory/download/SN-2009-01.txt http://securitytracker.com/id?1022520 http://www.exploit-db.com/exploits/9106 http://www.securityfocus.com/archive/1/504764 http://www.securityfocus.com/bid/35592 http://www.vupen.com/english/advisories/2009/1814 https://exchange.xforce.ibmcloud.com/vulnerabilities/51575 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2009-3760 – citrix xencenterweb - Cross-Site Scripting / SQL Injection / Remote Code Execution
https://notcve.org/view.php?id=CVE-2009-3760
Static code injection vulnerability in config/writeconfig.php in the sample code in the XenServer Resource Kit in Citrix XenCenterWeb allows remote attackers to inject arbitrary PHP code into include/config.ini.php via the pool1 parameter. NOTE: some of these details are obtained from third party information. Vulnerabilidad de inyección de código estático en config/writeconfig.php en el código de muestra en XenServer Resource Kit en Citrix XenCenterWeb permite a los atacantes remotos inyectar arbitrariamente código PHP en include/config.ini.php a través del parámetro pool1. NOTA: alguna de estos detalles han sido obtenidos de información de terceros • https://www.exploit-db.com/exploits/9106 http://securenetwork.it/ricerca/advisory/download/SN-2009-01.txt http://securitytracker.com/id?1022520 http://www.exploit-db.com/exploits/9106 http://www.securityfocus.com/archive/1/504764 http://www.securityfocus.com/bid/35592 http://www.vupen.com/english/advisories/2009/1814 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2009-3758 – citrix xencenterweb - Cross-Site Scripting / SQL Injection / Remote Code Execution
https://notcve.org/view.php?id=CVE-2009-3758
SQL injection vulnerability in login.php in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: some of these details are obtained from third party information. Vulnerabilidad de inyección SQL en ogin.php en sample code en XenServer Resource Kit en Citrix XenCenterWeb permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro username. NOTA: algunos de estos detalles han sido obtenidos a partir de terceros. • https://www.exploit-db.com/exploits/9106 http://securenetwork.it/ricerca/advisory/download/SN-2009-01.txt http://securitytracker.com/id?1022520 http://www.exploit-db.com/exploits/9106 http://www.securityfocus.com/archive/1/504764 http://www.securityfocus.com/bid/35592 http://www.vupen.com/english/advisories/2009/1814 https://exchange.xforce.ibmcloud.com/vulnerabilities/51574 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2009-3759 – citrix xencenterweb - Cross-Site Scripting / SQL Injection / Remote Code Execution
https://notcve.org/view.php?id=CVE-2009-3759
Multiple cross-site request forgery (CSRF) vulnerabilities in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allow remote attackers to hijack the authentication of administrators for (1) requests that change the password via the username parameter to config/changepw.php or (2) stop a virtual machine via the stop_vmname parameter to hardstopvm.php. NOTE: some of these details are obtained from third party information. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en sample code en el XenServer Resource Kit en Citrix XenCenterWeb en Citrix XenCenterWeb, permite a atacantes remotos secuestras la autenticación de los administradores para (1) peticiones que modifican la contraseña mediante el parámetro "username" en config/changepw.php o (2)parar una máquina virtual mediante el parámetro stop_vmname en hardstopvm.php. NOTA: algunos detalles han sido obtenidos a partir de información de terceros. • https://www.exploit-db.com/exploits/9106 http://securenetwork.it/ricerca/advisory/download/SN-2009-01.txt http://securitytracker.com/id?1022520 http://www.exploit-db.com/exploits/9106 http://www.securityfocus.com/archive/1/504764 http://www.securityfocus.com/bid/35592 http://www.vupen.com/english/advisories/2009/1814 https://exchange.xforce.ibmcloud.com/vulnerabilities/51576 • CWE-352: Cross-Site Request Forgery (CSRF) •