CVE-2019-13608
published 2019-08-29CVE-2019-13608: Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.
PriorityP188high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
30.26%
98.0th percentile
Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_storefront | — | — |
| citrix | netscaler_gateway | — | — |
| citrix | storefront | — | — |
| citrix | storefront_server | < 3.12.4000 | 3.12.4000 |
| citrix | storefront_server | < 3.0.8000 | 3.0.8000 |
| citrix | storefront_server | >= 1811 < 1903 | 1903 |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherapplication/vnd.citrix.requesttokenresponse+xml, text/xml, application/vnd.citrix.authenticateresponse-1+xml↗
- →Match HTTP response Content-Type containing 'vnd.citrix.authenticateresponse' combined with body containing '<AuthenticateResponse' and 'error-bad-request' with HTTP 200 status to confirm vulnerable endpoint interaction. ↗
- →Exploit targets POST /Citrix/StoreAuth/ExplicitForms/Start with Content-Type application/vnd.citrix.requesttoken+xml carrying an XXE payload; successful OOB DNS/HTTP callback via interactsh confirms exploitation. ↗
- →Shodan/FOFA fingerprint '/Citrix/StoreWeb' can be used to identify exposed Citrix StoreFront instances for targeted scanning. ↗
- →Vulnerability is unauthenticated and exploited in ransomware campaigns; prioritize detection on internet-facing StoreFront deployments. ↗
- ·The XXE payload uses an out-of-band (OOB) callback mechanism (interactsh); detection via network monitoring requires visibility into DNS/HTTP callbacks from the StoreFront server to external infrastructure. ↗
- ·Affected versions are StoreFront earlier than 1903, 7.15 LTSR earlier than CU4 (3.12.4000), and 7.6 LTSR earlier than CU8 (3.0.8000); version checks should target these specific build numbers. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability
cisa·2021-11-03·CVSS 7.5
CVE-2019-13608 [HIGH] CWE-611 Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability
Vulnerability: Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability
Affected: Citrix StoreFront Server
Citrix StoreFront Server contains an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-13608
Remediation Due Date: 2022-05-03
Citrix
CVE-2019-13608: Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.
vendor_citrix·2019-08-29·CVSS 7.5
CVE-2019-13608 [HIGH] CWE-611 CVE-2019-13608: Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.
CVE-2019-13608: Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.
CISA KEV: Citrix StoreFront Server contains an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.
Required Action: Apply updates per vendor instructions.
Known ransomware campaign use.
Citrix
CVE-2019-13608 - XML External Entity (XXE) Processing Vulnerability in Citrix StoreFront Server
vendor_citrix·CVSS 7.5
CVE-2019-13608 [HIGH] CVE-2019-13608 - XML External Entity (XXE) Processing Vulnerability in Citrix StoreFront Server
CVE-2019-13608 - XML External Entity (XXE) Processing Vulnerability in Citrix StoreFront Server
of Problem An XML External Entity (XXE) processing vulnerability has been identified in Citrix StoreFront Server that could allow an unauthenticated attacker to retrieve potentially sensitive information from the server. This vulnerability has been assigned the following CVE number: • CVE-2019-13608: XML External Entity (XXE) Processing Vulnerability in Citrix StoreFront Server. This vulnerability affects the following Citrix StoreFront Server versions: • Citrix StoreFront Server earlier than 1903 • Citrix StoreFront Server 7.15 LTSR earlier than CU4 (3.12.4000) • Citrix StoreFront Server 7.6 LTSR earlier than CU8 (3.0.8000)
CVE References: CVE-2019-13608
Affected Products: Citrix StoreFront,
GHSA
GHSA-22h8-5mmq-pgx3: Citrix StoreFront Server before 1903, 7
ghsa_unreviewed·2022-05-24
CVE-2019-13608 [HIGH] CWE-611 GHSA-22h8-5mmq-pgx3: Citrix StoreFront Server before 1903, 7
Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.
VulnCheck
Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability
vulncheck·2019·CVSS 7.5
CVE-2019-13608 [HIGH] CWE-611 Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability
Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability
Citrix StoreFront Server contains an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.
Affected: Citrix StoreFront Server
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cybersecurityworks.com/howdymanage/uploads/file/ransomware-_-2022-spotlight-report_compressed.pdf; https://tracker.crowdsec.net/cves/CVE-2019-13608
Remediation Due: 2022-05-03
No detection rules found.
Nuclei
Citrix StoreFront Server - XML External Entity
nuclei·CVSS 7.5
CVE-2019-13608 [HIGH] Citrix StoreFront Server - XML External Entity
Citrix StoreFront Server - XML External Entity
Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.
Template:
id: CVE-2019-13608
info:
name: Citrix StoreFront Server - XML External Entity
author: daffainfo
severity: high
description: |
Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.
impact: |
Attackers can read arbitrary files, perform server-side request forgery, or cause denial of service through XXE attacks.
remediation: |
Update to version 1903 or later for StoreFront, CU4 or later for 7.15 LTSR, CU8 or later for 7.6 LTSR.
reference:
- https://www.exploit-db.com/exploits/47561
- https://support.citrix.com/support-home/kbsearch/arti
No writeups or analysis indexed.
2019-08-29
Published
2021-11-03
Added to CISA KEV
Exploited in the wild