cbcvebase.
CVE-2019-13608
published 2019-08-29

CVE-2019-13608: Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.

PriorityP188high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
30.26%
98.0th percentile
Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.

Affected

7 ranges
VendorProductVersion rangeFixed in
citrixcitrix_storefront
citrixnetscaler_gateway
citrixstorefront
citrixstorefront_server< 3.12.40003.12.4000
citrixstorefront_server< 3.0.80003.0.8000
citrixstorefront_server>= 1811 < 19031903
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

url/Citrix/StoreAuth/ExplicitForms/Start
otherapplication/vnd.citrix.requesttoken+xml
otherapplication/vnd.citrix.requesttokenresponse+xml, text/xml, application/vnd.citrix.authenticateresponse-1+xml
path/Citrix/StoreWeb
  • Match HTTP response Content-Type containing 'vnd.citrix.authenticateresponse' combined with body containing '<AuthenticateResponse' and 'error-bad-request' with HTTP 200 status to confirm vulnerable endpoint interaction.
  • Exploit targets POST /Citrix/StoreAuth/ExplicitForms/Start with Content-Type application/vnd.citrix.requesttoken+xml carrying an XXE payload; successful OOB DNS/HTTP callback via interactsh confirms exploitation.
  • Shodan/FOFA fingerprint '/Citrix/StoreWeb' can be used to identify exposed Citrix StoreFront instances for targeted scanning.
  • Vulnerability is unauthenticated and exploited in ransomware campaigns; prioritize detection on internet-facing StoreFront deployments.
  • ·The XXE payload uses an out-of-band (OOB) callback mechanism (interactsh); detection via network monitoring requires visibility into DNS/HTTP callbacks from the StoreFront server to external infrastructure.
  • ·Affected versions are StoreFront earlier than 1903, 7.15 LTSR earlier than CU4 (3.12.4000), and 7.6 LTSR earlier than CU8 (3.0.8000); version checks should target these specific build numbers.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.