CVE-2002-2426
Citrix Access Essentials 1.0-2.0 and Presentation Server 3.0-4.5 - Cross-Site Request Forgery via InitialProgram Key
Title source: llmDescription
Cross-site request forgery (CSRF) vulnerability in Citrix Presentation Server 4.0 and 4.5, MetaFrame Presentation Server 3.0, and Access Essentials 1.0 through 2.0 allows remote attackers to execute arbitrary published applications, and possibly other programs, as authenticated users via the InitialProgram key in an ICA connection. NOTE: some of these details are obtained from third party information.
References (7)
Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1018962
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.org/0210-exploits/hackingcitrix.txt
Vendor Advisory x_refsource_confirm
http://support.citrix.com/article/CTX115245
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2007/3870
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/26451
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/27633
Various Sources x_refsource_misc
http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/
Scores
EPSS
0.0033
EPSS Percentile
56.2%
Details
CWE
CWE-352
Status
published
Products (6)
citrix/access_essentials
1.0
citrix/access_essentials
1.5
citrix/access_essentials
2.0
citrix/metaframe_presentation_server
3.0
citrix/presentation_server
4.0
citrix/presentation_server
4.5
Published
Dec 31, 2002
Tracked Since
Feb 18, 2026