Citrix Web Interface On-line Help Feature Cross Site Scripting Vulnerability
Thursday, 20 December 2007 by Michel Roth
A vulnerability has been reported in Citrix Web Interface, which can be exploited by malicious people to conduct cross-site scripting attacks. Don't worry to much, you're only in a tight spot if you run a reallly old version of WI.

Certain unspecified input in the on-line help is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability affects the following products, which according to the vendor have already reached End-of-Life:
• Citrix NFuse - all versions
• Citrix Web Interface up to and including version 2.0

Check out the original advisory.

Related Items:

Citrix Products Login Page Cross-Site Scripting Vulnerability (1 December 2005)
Citrix Presentation Server Client Unspecified Code Execution (2 March 2007)
Updated: Mozilla Firefox Two Critical Vulnerabilities (13 May 2005)
0-Day Microsoft Word 2000 Unspecified Code Execution Vulnerability (5 September 2006)
Warning: 0-Day Microsoft XMLHTTP ActiveX Control Code Execution Vulnerability (6 November 2006)
Zero Day Microsoft Word Unspecified Code Execution Vulnerability (20 May 2006)
VMware ESX Server Management Interface Unspecified Vulnerability (30 December 2005)
VMware ESX Server Multiple Vulnerabilities (2 August 2006)
Internet Explorer "object" Tag Memory Corruption Code Execution (26 April 2006)
Warning: Microsoft Windows WMF Handling Arbitrary Code Execution - Exploit In the Wild (29 December 2005)
Comments (0)add feed
Show/Hide comment formtoggle
password
 

busy