Low
CVE-2023-24488
CVE-2023-24488
Description
Cross site scripting vulnerability in Citrix ADC and Citrix Gateway in allows and attacker to perform cross site scripting
Add Assessment
Technical Analysis
Summary:
A Cross-Site Scripting vulnerability has been discovered in Citrix ADC and Citrix Gateway versionslisted below.
Insufficient sanitization of URL query parameters before their inclusion in an HTTP Location header poses a security risk. Exploiting this vulnerability allows an attacker to create a manipulated link that, upon being clicked, redirects the victim to an arbitrary destination. Additionally, the attacker can insert newline characters into the Location header, prematurely terminating the HTTP headers and injecting an XSS payload into the response body.
Impact of vulnerability:
An attacker can leverage this vulnerability to construct malicious links that, when clicked, either redirect the victim to a website under the attacker’s control or execute JavaScript code within the victim’s browser.
Affected Software:
The following versions of Citrix ADC and Citrix Gateway are susceptible to this vulnerability:
Citrix ADC and Citrix Gateway 13.1 before 13.1-45.61 Citrix ADC and Citrix Gateway 13.0 before 13.0-90.11 Citrix ADC and Citrix Gateway 12.1 before 12.1-65.35 Citrix ADC 12.1-FIPS before 12.1-55.296 Citrix ADC 12.1-NDcPP before 12.1-55.296
Mitigation:
Follow the Citrix reference link to update to the latest versions that will fix the issue(s).
CVSS V3 Severity and Metrics
General Information
Vendors
- citrix
Products
- application delivery controller,
- gateway
References
Exploit
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
