CVE-2016-6877 — Improper Input Validation in Citrix Xenmobile Server

CWE-20 — Improper Input Validation3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.8%

top 26.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Citrix Xenmobile Server

Timeline

PublishedMay 5

Latest updateMay 17

Description

Citrix XenMobile Server before 10.5.0.24 allows man-in-the-middle attackers to trigger HTTP 302 redirections via vectors involving the HTTP Host header and a cached page. NOTE: the vendor reports "our internal analysis of this issue concluded that this was not a valid vulnerability" because an exploitation scenario would involve a man-in-the-middle attack against a TLS session

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages1 packages

▶NVDcitrix/xenmobile_server10.3.6.310

🔴Vulnerability Details

GHSA

GHSA-g7jr-3gjx-fr4f: ** DISPUTED ** Citrix XenMobile Server before 10↗2022-05-17

▶

📋Vendor Advisories

Citrix

CVE-2016-6877: Citrix XenMobile Server before 10.5.0.24 allows man-in-the-middle attackers to trigger HTTP 302 redirections via vectors involving the HTTP Host heade↗2017-05-05

▶