CVE-2018-6811
published 2018-03-06CVE-2018-6811: Multiple cross-site scripting (XSS) vulnerabilities in Citrix NetScaler ADC 10.5, 11.0, 11.1, and 12.0, and NetScaler Gateway 10.5, 11.0, 11.1, and 12.0 allow…
PriorityP425medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
1.23%
65.3th percentile
Multiple cross-site scripting (XSS) vulnerabilities in Citrix NetScaler ADC 10.5, 11.0, 11.1, and 12.0, and NetScaler Gateway 10.5, 11.0, 11.1, and 12.0 allow remote attackers to inject arbitrary web script or HTML via the Citrix NetScaler interface.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | hadoop | — | — |
| citrix | citrix_adm | — | — |
| citrix | citrix_hypervisor | — | — |
| citrix | citrix_virtual_apps_and_desktops | — | — |
| citrix | endpoint_management | — | — |
| citrix | netscaler_adc | — | — |
| citrix | netscaler_adc_gateway | — | — |
| citrix | netscaler_application_delivery_controller_firmware | — | — |
| citrix | netscaler_application_delivery_controller_firmware | — | — |
| citrix | netscaler_application_delivery_controller_firmware | — | — |
| citrix | netscaler_application_delivery_controller_firmware | — | — |
| citrix | netscaler_gateway | — | — |
| citrix | netscaler_gateway_firmware | — | — |
| citrix | netscaler_gateway_firmware | — | — |
| citrix | netscaler_gateway_firmware | — | — |
| citrix | netscaler_gateway_firmware | — | — |
| citrix | xenserver | — | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa8.8HIGH
vendor_apache8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
hadoop: Privilege escalation to root (Incomplete fix for CVE-2016-6811)
vendor_redhat·2018-11-27·CVSS 8.8
CVE-2018-11766 [HIGH] CWE-268 hadoop: Privilege escalation to root (Incomplete fix for CVE-2016-6811)
hadoop: Privilege escalation to root (Incomplete fix for CVE-2016-6811)
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
Package: camel (Red Hat Fuse 7) - Not affected
Package: camel (Red Hat JBoss Fuse 6) - Not affected
Package: rhs-hadoop (Red Hat Storage 3) - Not affected
Citrix
CVE-2018-6811: Multiple cross-site scripting (XSS) vulnerabilities in Citrix NetScaler ADC 10.5, 11.0, 11.1, and 12.0, and NetScaler Gateway 10.5, 11.0, 11.1, and 12
vendor_citrix·2018-03-06·CVSS 6.1
CVE-2018-6811 [MEDIUM] CWE-79 CVE-2018-6811: Multiple cross-site scripting (XSS) vulnerabilities in Citrix NetScaler ADC 10.5, 11.0, 11.1, and 12.0, and NetScaler Gateway 10.5, 11.0, 11.1, and 12
CVE-2018-6811: Multiple cross-site scripting (XSS) vulnerabilities in Citrix NetScaler ADC 10.5, 11.0, 11.1, and 12.0, and NetScaler Gateway 10.5, 11.0, 11.1, and 12.0 allow remote attackers to inject arbitrary web script or HTML via the Citrix NetScaler interface.
Citrix
Citrix Security Bulletin CTX232161
vendor_citrix·CVSS 8.8
CVE-2018-6186 [HIGH] Citrix Security Bulletin CTX232161
Citrix Security Bulletin CTX232161
CVE References: CVE-2018-6186, CVE-2018-6808, CVE-2018-6809, CVE-2018-6810, CVE-2018-6811, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Apache
Apache hadoop: CVE-2018-11766
vendor_apache·CVSS 8.8
CVE-2018-11766 [HIGH] Apache hadoop: CVE-2018-11766
Apache hadoop: CVE-2018-11766
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
GHSA
GHSA-jmxx-fgxh-42rc: Multiple cross-site scripting (XSS) vulnerabilities in Citrix NetScaler ADC 10
ghsa_unreviewed·2022-05-14
CVE-2018-6811 [MEDIUM] CWE-79 GHSA-jmxx-fgxh-42rc: Multiple cross-site scripting (XSS) vulnerabilities in Citrix NetScaler ADC 10
Multiple cross-site scripting (XSS) vulnerabilities in Citrix NetScaler ADC 10.5, 11.0, 11.1, and 12.0, and NetScaler Gateway 10.5, 11.0, 11.1, and 12.0 allow remote attackers to inject arbitrary web script or HTML via the Citrix NetScaler interface.
GHSA
Arbitrary Command Execution in Hadoop
ghsa·2018-12-21·CVSS 8.8
CVE-2018-11766 [HIGH] Arbitrary Command Execution in Hadoop
Arbitrary Command Execution in Hadoop
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-11766 hadoop: Privilege escalation to root (Incomplete fix for CVE-2016-6811) [fedora-all]
bugzilla·2018-11-28·CVSS 8.8
CVE-2018-11766 [HIGH] CVE-2018-11766 hadoop: Privilege escalation to root (Incomplete fix for CVE-2016-6811) [fedora-all]
CVE-2018-11766 hadoop: Privilege escalation to root (Incomplete fix for CVE-2016-6811) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multi
Bugzilla
CVE-2018-11766 hadoop: Privilege escalation to root (Incomplete fix for CVE-2016-6811)
bugzilla·2018-11-28·CVSS 8.8
CVE-2018-11766 [HIGH] CVE-2018-11766 hadoop: Privilege escalation to root (Incomplete fix for CVE-2016-6811)
CVE-2018-11766 hadoop: Privilege escalation to root (Incomplete fix for CVE-2016-6811)
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
References:
https://seclists.org/oss-sec/2018/q4/185
External References:
https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E
Discussion:
Created hadoop tracking bugs for this issue:
Affects: fedora-all [bug 1654240]
2018-03-06
Published