CVE-2009-3757
citrix xencenterweb - Cross-Site Scripting / SQL Injection / Remote Code Execution
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
5Exploited in Wild
-Decision
Descriptions
Multiple cross-site scripting (XSS) vulnerabilities in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to config/edituser.php; (2) location, (3) sessionid, and (4) vmname parameters to console.php; (5) vmrefid and (6) vmname parameters to forcerestart.php; and (7) vmname and (8) vmrefid parameters to forcesd.php. NOTE: some of these details are obtained from third party information.
Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en en el XenServer Resource Kit de Citrix XenCenterWeb, permite a atacantes remotos inyectar secuencias de comandos Web o HTML a través de (1) el parámetro username de config/edituser.php; (2) los parámetros location, (3) sessionid y (4) vmname de console.php; (5) los parámetros vmrefid y (6) vmname de forcerestart.php; y (7) los parámetros vmname (8) vmrefid de forcesd.php.
NOTA: Algunos de estos detalles han sido obtenidos de fuentes externas.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2009-07-10 First Exploit
- 2009-10-22 CVE Reserved
- 2009-10-22 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-07 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://securitytracker.com/id?1022520 | Vdb Entry | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/51575 | Vdb Entry |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/9106 | 2009-07-10 | |
| http://securenetwork.it/ricerca/advisory/download/SN-2009-01.txt | 2024-08-07 | |
| http://www.exploit-db.com/exploits/9106 | 2024-08-07 | |
| http://www.securityfocus.com/archive/1/504764 | 2024-08-07 | |
| http://www.securityfocus.com/bid/35592 | 2024-08-07 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.vupen.com/english/advisories/2009/1814 | 2017-09-19 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Citrix Search vendor "Citrix" | Xencenterweb Search vendor "Citrix" for product "Xencenterweb" | * | - |
Affected
| ||||||