ID CVE-2009-3936
Summary Unspecified vulnerability in Citrix Online Plug-in for Windows 11.0.x before 11.0.150 and 11.x before 11.2, Online Plug-in for Mac before 11.0, Receiver for iPhone before 1.0.3, and ICA Java, Mac, UNIX, and Windows Clients for XenApp and XenDesktop allows remote attackers to impersonate the SSL/TLS server and bypass authentication via a crafted certificate, a different vulnerability than CVE-2009-3555.
References
Vulnerable Configurations
  • cpe:2.3:a:citrix:online_plug-in_for_mac:*:*:*:*:*:*:*:*
    cpe:2.3:a:citrix:online_plug-in_for_mac:*:*:*:*:*:*:*:*
  • cpe:2.3:a:citrix:online_plug-in_for_windows:11.0:*:*:*:*:*:*:*
    cpe:2.3:a:citrix:online_plug-in_for_windows:11.0:*:*:*:*:*:*:*
  • cpe:2.3:a:citrix:online_plug-in_for_windows:11.1:*:*:*:*:*:*:*
    cpe:2.3:a:citrix:online_plug-in_for_windows:11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:citrix:online_plug-in_for_windows:*:*:*:*:*:*:*:*
    cpe:2.3:a:citrix:online_plug-in_for_windows:*:*:*:*:*:*:*:*
  • cpe:2.3:a:citrix:receiver_for_iphone:*:*:*:*:*:*:*:*
    cpe:2.3:a:citrix:receiver_for_iphone:*:*:*:*:*:*:*:*
CVSS
Base: 5.8 (as of 17-08-2017 - 01:31)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:P
refmap via4
bid 37073
confirm http://support.citrix.com/article/CTX123248
sectrack 1023168
secunia 37319
vupen ADV-2009-3206
xf citrix-ssl-spoofing(54213)
Last major update 17-08-2017 - 01:31
Published 13-11-2009 - 16:30
Last modified 17-08-2017 - 01:31
Back to Top