CyberSec.Space Logo
Back to CVE Browser

CVE-2009-3757

MEDIUM
4.3
CVSS Severity Score
EPSS Score0.1750%
EPSS Percentile5.17th
PublishedOct 22, 2009
Last ModifiedApr 23, 2026

Vulnerability Description

Multiple cross-site scripting (XSS) vulnerabilities in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to config/edituser.php; (2) location, (3) sessionid, and (4) vmname parameters to console.php; (5) vmrefid and (6) vmname parameters to forcerestart.php; and (7) vmname and (8) vmrefid parameters to forcesd.php. NOTE: some of these details are obtained from third party information.

Affected Platforms (CPE)

πŸ“¦
Citrix

Xencenterweb

All versions

References & Advisories

πŸ”— http://securenetwork.it/ricerca/advisory/download/SN-2009-01.txt
πŸ”— http://securitytracker.com/id?1022520
πŸ”— http://www.exploit-db.com/exploits/9106
πŸ”— http://www.securityfocus.com/archive/1/504764
πŸ”— http://www.securityfocus.com/bid/35592
πŸ”— http://www.vupen.com/english/advisories/2009/1814
πŸ”— https://exchange.xforce.ibmcloud.com/vulnerabilities/51575
πŸ”— http://securenetwork.it/ricerca/advisory/download/SN-2009-01.txt

Related Vulnerabilities

CVE-2009-37598.8

Multiple cross-site request forgery (CSRF) vulnerabilities in sample code in the XenServer Resource Kit in Citrix XenCenterWeb all...

CVE-2009-37587.5

SQL injection vulnerability in login.php in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allows remote attacke...

CVE-2009-37607.5

Static code injection vulnerability in config/writeconfig.php in the sample code in the XenServer Resource Kit in Citrix XenCenter...

CVE-2009-227110.0

The Huawei D100 has (1) a certain default administrator password for the web interface, and does not force a password change; and ...