1. Vulnerability Properties
Title: Reflected cross-site scripting vulnerability in DIGIPASS authentication for Citrix Web Interface
CVE ID: CVE-2015-7349
CVSSv3 Base Score: 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vendor: Vasco (https://www.vasco.com)
Products: DIGIPASS authentication for Citrix Web Interface
Advisory Release Date: 6 October 2015
Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7349
Credits: Discovery by Filipe Bernardo <fb[at]integrity.pt>
2. Vulnerability Summary
Vasco DIGIPASS authentication for Citrix Web Interface is vulnerable to Cross-site scripting (XSS) on the login page.
The DIGIPASS plug-in is installed on IIS server and when a user attempts to login and an error occurs, this plugin handles the action and shows an error message displaying the reason. The failmessage parameter is vulnerable to XSS.
3. Technical Details
When a login error occurs the failmessage parameter displays an error message from the DIGIPASS plug-in with the information regarding the error.
The standard URL of the vulnerable Authentication page is the following:
The vulnerable parameter is failmessage.
4. Vulnerable Versions
- Assume all the VASCO DIGIPASS for Citrix Web Interface existent to the date.
- To mitigate this clients should "disable the display of the login failure reason" as mentioned in the VASCO KB140148
7. Vulnerability Timeline
- 25/03/2015 - Reported to Citrix Security team
- 03/07/2015 - Citrix analysed and reported that the problem is related to the Vasco Plug-in
- 11/08/2015 - Reported to Vasco security team (PSIRT)
- 19/08/2015 - Vasco PSIRT acknowledged vulnerability
- 25/09/2015 - Vasco PSIRT released the fix and advisory
- 06/10/2015 - Advisory published