#VU1136 Session hijacking in Citrix NetScaler - CVE-2016-9028
Published: November 2, 2016 / Updated: November 3, 2016
Vulnerability identifier: #VU1136
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-9028
CWE-ID: CWE-592
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Citrix NetScaler
Citrix NetScaler
Software vendor:
Citrix
Citrix
Description
The vulnerability allows a remote unauthenticated user to hijack the target user's session.
The weakness is due to unathorized redirect in the AAA for Traffic Management (AAA-TM) flow that allows a remote attackers to gain the session cookies and hijack the valid user's session.
Successful exploitation of the vulnerability leads to session steal.
The weakness is due to unathorized redirect in the AAA for Traffic Management (AAA-TM) flow that allows a remote attackers to gain the session cookies and hijack the valid user's session.
Successful exploitation of the vulnerability leads to session steal.
Remediation
Update to version 10.1 Build 135.8, 10.5 Build 61.11, 11.0 Build 65.31/65.35F.