Description of Problem
Vulnerabilities have been discovered in Citrix ADC and Citrix Gateway listed below, that, if exploited, could result in the following security issues:
Impacted Products, Versions and Components
The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:
- Citrix ADC and Citrix Gateway 13.1 before 13.1-45.61
- Citrix ADC and Citrix Gateway 13.0 before 13.0-90.11
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.35
- Citrix ADC 12.1-FIPS before 12.1-55.296
- Citrix ADC 12.1-NDcPP before 12.1-55.296
This bulletin only applies to customer-managed Citrix ADC and Citrix Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.
CVE ID | Description | Pre-requisites | CWE | CVSS |
---|---|---|---|---|
CVE-2023-24488 | Cross site scripting | Appliance must be configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server |
|
6.1 |
CVE-2023-24487 | Arbitrary file read | Access to NSIP or SNIP with management interface access |
|
6.3 |
What Customers Should Do
Affected customers of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible:
- Citrix ADC and Citrix Gateway 13.1-45.61 and later releases
- Citrix ADC and Citrix Gateway 13.0-90.11 and later releases of 13.0
- Citrix ADC and Citrix Gateway 12.1-65.35 and later releases of 12.1
- Citrix ADC 12.1-FIPS 12.1-55.296 and later releases of 12.1-FIPS
- Citrix ADC 13.1-FIPS 13.1-37.150 and later releases of 13.1-FIPS
- Citrix ADC 12.1-NDcPP 12.1-55.296 and later releases of 12.1-NDcPP
Acknowledgements
What Citrix is Doing
Obtaining Support on This Issue
Subscribe to Receive Alerts
Reporting Security Vulnerabilities to Citrix
Disclaimer
Changelog
2023-05-09 T 11:45:00Z | Initial Publication |