CSRF Vulnerabilities in Citrix XenCenterWeb Affecting Administrator Authentication
CVE-2009-3759

8.8HIGH

Key Information:

Vendor
Citrix
Status
Xencenterweb
Vendor
CVE Published:
22 October 2009

Summary

Multiple cross-site request forgery (CSRF) vulnerabilities exist in the sample code of the XenServer Resource Kit found in Citrix XenCenterWeb. These vulnerabilities allow remote attackers to exploit the application and hijack administrator authentication. For instance, attackers can craft malicious requests that lead to unintentional password changes through the config/changepw.php page or stop virtual machines using the hardstopvm.php script by manipulating the stop_vmname parameter. This exposes administrators to significant risks, compromising the integrity and availability of virtual resources.

References

http://www.securityfocus.com/archive/1/504764
mailing-listx_refsource_BUGTRAQ
http://www.vupen.com/english/advisories/2009/1814
vdb-entryx_refsource_VUPEN
http://securenetwork.it/ricerca/advisory/download/SN-2009...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.