CVE-2002-0504 in Nfuse
Summary
by MITRE
Cross-site scripting vulnerability in Citrix NFuse 1.6 and earlier does not quote results from the getLastError method, which allows remote attackers to execute script in other clients via the NFuse_Application parameter to (1) launch.jsp or (2) launch.asp.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/16/2025
The vulnerability described in CVE-2002-0504 represents a classic cross-site scripting flaw that existed within Citrix NFuse 1.6 and earlier versions of the application delivery platform. This issue specifically affects the way the system handles error messages generated by the getLastError method, creating a pathway for malicious actors to inject and execute arbitrary scripts within the context of other users' browsers. The vulnerability manifests through the NFuse_Application parameter that is processed by two critical server-side scripts: launch.jsp and launch.asp, which are fundamental components of the Citrix NFuse application launching mechanism.
The technical root cause of this vulnerability stems from insufficient input validation and output sanitization within the Citrix NFuse application. When the getLastError method is invoked, it returns error information that should be properly escaped or quoted before being rendered in the browser context. However, the implementation fails to apply proper HTML entity encoding or quotation around the error results, allowing malicious payloads to be interpreted as executable JavaScript code rather than harmless text. This occurs because the NFuse_Application parameter, which is typically used to specify application launch parameters, becomes a vector for injection attacks when it contains unescaped characters that can manipulate the HTML output.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform a wide range of malicious activities within the targeted environment. An attacker could craft a specially formatted NFuse_Application parameter that, when processed by either launch.jsp or launch.asp, would inject malicious JavaScript code into the victim's browser session. This code could then be used to steal session cookies, redirect users to malicious sites, deface web pages, or even establish persistent backdoors within the application delivery environment. The vulnerability is particularly dangerous because it affects the core application launching functionality, meaning that any user who interacts with the NFuse interface could potentially become compromised, creating a significant risk to the entire enterprise network that relies on Citrix application delivery services.
The security implications of this vulnerability align with CWE-79, which specifically addresses cross-site scripting flaws in web applications, and can be mapped to ATT&CK technique T1566.001, which covers spearphishing through social media and email. Organizations using Citrix NFuse 1.6 or earlier versions face a critical risk of unauthorized access and data exfiltration, as the vulnerability allows attackers to execute code in the context of authenticated users. The remediation strategy should prioritize immediate patching of the Citrix NFuse application to version 1.7 or later, which includes proper input validation and output encoding for error messages. Additionally, network administrators should implement proper web application firewalls, input sanitization measures, and regular security assessments to prevent similar vulnerabilities from being introduced in other components of the application delivery infrastructure. Organizations should also consider implementing strict parameter validation and sanitization protocols across all web applications to prevent such injection-based attacks from occurring in the future.