PT-2011-40: Multiple CSRF vulnerabilities in Citrix License Administration Console
Vulnerable software
Citrix XenServer Administration Console
Version: 11.9 and earlier
Application link:
http://www.citrix.com/English/ps2/products/product.asp?contentID=683148
Severity level
Severity level: High
Impact: Configuration modification
Access Vector: Network exploitable
CVSS v2:
Base Score: 7.1
Vector: (AV:N/AC:M/Au:N/C:N/I:C/A:N)
CVE: not assigned
Vulnerability description
Positive Research Center has discovered a multiple CSRF vulnerabilities in Citrix License Administration Console.
All web interface forms are vulnerable to CSRF attacks. One can exploit these vulnerabilities to change the system configuration.
How to fix
Update your software up to the latest version
Advisory status
10.11.2011 - Vendor is notified
10.11.2011 - Vendor gets vulnerability details
13.03.2012 - Vendor releases fixed version and details
27.03.2012 - Public disclosure
Credits
The vulnerability was discovered by Maxim Tsoy, Kirill Mosolov, Positive Research Center (Positive Technologies Company)
References
http://en.securitylab.ru/lab/PT-2011-40
http://support.citrix.com/article/CTX128167
Reports on the vulnerabilities previously discovered by Positive Research:
http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/