=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN513
_____________________________________________________________________

DATE                      : 09/12/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : System running Citrix Web Interface versions 5.x prior to 5.4.

======================================================================
http://support.citrix.com/article/CTX127541
______________________________________________________________________

 Cross-Site Scripting Vulnerability in Citrix Web Interface
Document ID: CTX127541   /   Created On: Dec 7, 2010   /   Updated On: Dec 8, 2010


Severity: Medium

Description of Problem

A cross-site scripting vulnerability has been identified in specific
versions of Citrix Web Interface.

This vulnerability could potentially be used to execute malicious client-side
script in the same context as legitimate content from the web server; if this
vulnerability is used to execute script in the browser of an authenticated
user then the script may be able to gain access to the authenticated user’s
session or other potentially sensitive information.

This vulnerability affects all version 5.x Citrix Web Interface installations
up to and including version 5.3.

What Customers Should Do

This vulnerability has been addressed in Citrix Web Interface version 5.4 and
above. Citrix recommends that both XenApp and XenDesktop customers upgrade
their Web Interface to version 5.4 or later.

The latest version of Web Interface can be obtained from the “Downloads”
location of the Citrix website and the location below:

https://www.citrix.com/English/ss/downloads/index.asp

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential
security issue. This article is also available from the Citrix Knowledge
Center at http://support.citrix.com/.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix
Technical Support. Contact details for Citrix Technical Support are available
at http://www.citrix.com/site/ss/supportContacts.asp.

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products
and considers any and all potential vulnerabilities seriously.
If you would like to report a security issue to Citrix, please
compose an e-mail to secure@citrix.com stating the exact version
of the product in which the vulnerability was found and the steps
needed to reproduce the vulnerability

This document applies to:

    * Web Interface 5.0
    * Web Interface 5.1
    * Web Interface 5.3



======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================