Citrix NetScaler ADC
Moderate fix4 remedies
cpe:2.3:o:citrix:netscaler_application_delivery_controller_firmware:*:*:*:*:*:*:*, +2 more
Moderate fix4 remedies
- < 14.1-56.73
- < 13.1-60.32
- < 13.1-37.250-FIPS
- < 12.1-55.333-FIPS
- ~12.1
- ~13.0
Citrix NetScaler ADC and Gateway Cross-Site Scripting Vulnerability
Vulnerability
Patched
A Cross-Site Scripting (XSS) vulnerability has been identified in Citrix NetScaler ADC and NetScaler Gateway. This issue arises when the appliance is set up as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server. The vulnerability is present in specific versions of both products, as detailed in the security bulletin.
Impact
Exploitation of this vulnerability allows for Cross-Site Scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.
Reproduction
To reproduce this vulnerability, configure a NetScaler ADC or Gateway appliance to act as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server. This can be done by adding an authentication vserver or a VPN vserver through the NetScaler configuration.
Remediation
Affected customers should upgrade to NetScaler ADC and NetScaler Gateway versions 14.1-56.73, 13.1-60.32, 13.1-37.250-FIPS and NDcPP, or 12.1-55.333-FIPS and NDcPP. Note that versions 12.1 and 13.0 are End Of Life and no longer supported.
Added: Nov 11, 2025, 2:19 PM
Updated: Nov 11, 2025, 2:19 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
1.7exploitability
6.5remediation
7.7relevance
0.9threat
1.6urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.