CVSS: 5.0EPSS: 7%CPEs: 1EXPL: 2CVE-2015-2841 – Citrix Netscaler NS10.5 - WAF Bypass (Via HTTP Header Pollution)
https://notcve.org/view.php?id=CVE-2015-2841
Citrix NetScaler AppFirewall, as used in NetScaler 10.5, allows remote attackers to bypass intended firewall restrictions via a crafted Content-Type header, as demonstrated by the application/octet-stream and text/xml Content-Types. Citrix NetScaler AppFirewall, utilizado en NetScaler 10.5, permite a atacantes remotos evadir las restricciones del firewall a través de una cabecera Content-Type manipulada, tal y como fue demostrado por los tipos de contenido application/octet-stream y text/xml. • https://www.exploit-db.com/exploits/36369 http://seclists.org/fulldisclosure/2015/Mar/95 http://securitytracker.com/id/1031928 • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2015-2839
https://notcve.org/view.php?id=CVE-2015-2839
The Nitro API in Citrix NetScaler before 10.5 build 52.3nc uses an incorrect Content-Type when returning an error message, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the file_name JSON member in params/xen_hotfix/0 to nitro/v1/config/xen_hotfix. La API Nitro en Citrix NetScaler anterior a 10.5 build 52.3nc utiliza un tipo de contenido incorrecto cuando devuelve un mensaje de error, lo que permite a atacantes remotos realizar ataques de XSS a través del miembro de JSON file_name en params/xen_hotfix/0 en nitro/v1/config/xen_hotfix. • http://packetstormsecurity.com/files/130931/Citrix-NITRO-SDK-xen_hotfix-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Mar/128 http://www.securityfocus.com/archive/1/534935/100/0/threaded http://www.securityfocus.com/bid/73311 https://www.securify.nl/advisory/SFY20140805/citrix_nitro_sdk_xen_hotfix_page_is_vulnerable_to_cross_site_scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 55%CPEs: 3EXPL: 1CVE-2014-7140 – Citrix Netscaler SOAP Handler - Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-7140
Unspecified vulnerability in the management interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.x before 10.1-129.11 and 10.5 before 10.5-50.10 allows remote attackers to execute arbitrary code via unknown vectors. Vulnerabilidad no especificada en la interfaz de gestión en Citrix NetScaler Application Delivery Controller (ADC) y NetScaler Gateway 10.x anterior a 10.1-129.11 y 10.5 anterior a 10.5-50.10 permite a atacantes remotos ejecutar código arbitrario a través de vectores desconocidos. • https://www.exploit-db.com/exploits/35180 http://support.citrix.com/article/CTX200206 http://www.securitytracker.com/id/1031129 •