Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2015-2838 — Cross-Site Request Forgery in Citrix Netscaler

CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

6.8MEDIUMNVD

EPSS

4.3%

top 11.10%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Citrix Netscaler Citrix Netscaler ADC Gateway

Timeline

PublishedApr 3

Latest updateMay 14

Description

Cross-site request forgery (CSRF) vulnerability in Nitro API in Citrix NetScaler before 10.5 build 52.3nc allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary commands as nsroot via shell metacharacters in the file_name JSON member in params/xen_hotfix/0 to nitro/v1/config/xen_hotfix.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶NVDcitrix/netscaler10.5

▶citrixcitrix/netscaler_adc_gateway

🔴Vulnerability Details

GHSA

GHSA-49gh-f88v-9xqf: Cross-site request forgery (CSRF) vulnerability in Nitro API in Citrix NetScaler before 10↗2022-05-14

▶

💥Exploits & PoCs

Exploit-DB

Citrix Nitro SDK - Command Injection↗2015-03-19

▶

📋Vendor Advisories

Citrix

CVE-2015-2838: Cross-site request forgery (CSRF) vulnerability in Nitro API in Citrix NetScaler before 10.5 build 52.3nc allows remote attackers to hijack the authen↗2015-04-03

▶