CVE-2009-3759

HIGH

Citrix XenCenterWeb - Cross-Site Request Forgery via Password Change or VM Stop

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-3759. PoCs published by Secure Network.

AI-analyzed exploit summary This advisory details multiple vulnerabilities in Citrix XenCenterWeb, including XSS, CSRF, SQL injection, and remote command execution. It provides technical explanations and proof-of-concept URLs for each vulnerability.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allow remote attackers to hijack the authentication of administrators for (1) requests that change the password via the username parameter to config/changepw.php or (2) stop a virtual machine via the stop_vmname parameter to hardstopvm.php. NOTE: some of these details are obtained from third party information.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Secure Network · textremotewindows
https://www.exploit-db.com/exploits/9106

This advisory details multiple vulnerabilities in Citrix XenCenterWeb, including XSS, CSRF, SQL injection, and remote command execution. It provides technical explanations and proof-of-concept URLs for each vulnerability.

Classification
Writeup 100%
Attack Type
Xss | Csrf | Sqli | Rce
Complexity
Trivial
Reliability
Reliable
Target: Citrix XenCenterWeb
No auth needed
Prerequisites: Access to the web interface · PHP magic_quotes_gpc off for SQLi and RCE
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (7)

Core 7
Core References
Broken Link, Exploit, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/504764
Broken Link, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1814
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/51576
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1022520
Broken Link, Exploit, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35592
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/9106

Scores

CVSS v3 8.8
EPSS 0.0229
EPSS Percentile 80.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
citrix/xencenterweb
Published Oct 22, 2009
Tracked Since Feb 18, 2026