CVE-2015-2839

Name of the Vulnerable Software and Affected Versions Citrix NetScaler versions prior to 10.5 build 52.3nc

Description The issue allows remote attackers to conduct cross-site scripting (XSS) attacks. This is achieved by exploiting the Nitro API, which returns an error message with an incorrect Content-Type, via the file name JSON member in the "params/xen hotfix/0" to "nitro/v1/config/xen hotfix" API endpoint.

Recommendations For versions prior to 10.5 build 52.3nc, update to build 52.3nc or later to resolve the issue. As a temporary workaround, consider restricting access to the Nitro API to minimize the risk of exploitation. Avoid using the file name JSON member in the affected API endpoint until the issue is resolved.