Vulnerability identifier: #VU7191
Vulnerability risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-611
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Citrix XenMobile Server
Server applications /
Web servers
Vendor: Citrix
Description
The vulnerability allows a remote attacker to perform an XXE attack.
The vulnerability exists due to insufficient validation of user-supplied data. A remote attacker can supply specially crafted XML External Entity (XXE) data to read arbitrary files with the privileges of the target service.
Successful exploitation of the vulnerability results in information disclosure.
Mitigation
Update to version 10.5 RP3.
Vulnerable software versions
Citrix XenMobile Server: 9.0 - 10.5
External links
http://support.citrix.com/article/CTX220138
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.