CVE-2020-8983
published 2020-05-07CVE-2020-8983: An arbitrary file write issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases…
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
4.51%
90.3th percentile
An arbitrary file write issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, which allows remote code execution. RCE and file access is granted to everything hosted by ShareFile, be it on-premise or inside Citrix Cloud itself (both are internet facing). NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-7473 and CVE-2020-8982.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_adm | — | — |
| citrix | citrix_hypervisor | — | — |
| citrix | citrix_virtual_apps_and_desktops | — | — |
| citrix | endpoint_management | — | — |
| citrix | netscaler_adc | — | — |
| citrix | netscaler_gateway | — | — |
| citrix | sharefile | — | — |
| citrix | sharefile_storagezones_controller | <= 5.5.0 | — |
| citrix | sharefile_storagezones_controller | — | — |
| citrix | sharefile_storagezones_controller | — | — |
| citrix | sharefile_storagezones_controller | — | — |
| citrix | sharefile_storagezones_controller | — | — |
| citrix | xenserver | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xqh7-34g2-j95q: In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5
ghsa_unreviewed·2022-05-24·CVSS 7.5
CVE-2020-8982 [HIGH] GHSA-xqh7-34g2-j95q: In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5
In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, allow unauthenticated attackers to access the documents and folders of ShareFile users. NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-7473 and CVE-2020-8983 but has essentially the same risk.
GHSA
GHSA-jjf5-33c4-34wr: In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5
ghsa_unreviewed·2022-05-24·CVSS 7.5
CVE-2020-8983 [HIGH] GHSA-jjf5-33c4-34wr: In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5
In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, allow unauthenticated attackers to access the documents and folders of ShareFile users. NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-7473 and CVE-2020-8982 but has essentially the same risk.
GHSA
GHSA-2p3q-x3x4-ww4x: In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5
ghsa_unreviewed·2022-05-24·CVSS 7.5
CVE-2020-7473 [HIGH] GHSA-2p3q-x3x4-ww4x: In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5
In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, allow unauthenticated attackers to access the documents and folders of ShareFile users. NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-8982 and CVE-2020-8983 but has essentially the same risk.
VulnCheck
Citrix ShareFile Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2020·CVSS 7.5
CVE-2020-8982 [HIGH] Citrix ShareFile Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Citrix ShareFile Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020. RCE and file access is granted to everything hosted by ShareFile, be it on-premise or inside Citrix Cloud itself (both are internet facing). NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5
Citrix
CVE-2020-7473: In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of M
vendor_citrix·2020-05-07·CVSS 7.5
CVE-2020-7473 [HIGH] CWE-22 CVE-2020-7473: In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of M
CVE-2020-7473: In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, allow unauthenticated attackers to access the documents and folders of ShareFile users. NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-8982 and CVE-2020-8983 but has essentially the same risk.
Citrix
CVE-2020-8983: An arbitrary file write issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x
vendor_citrix·2020-05-07·CVSS 7.5
CVE-2020-8983 [HIGH] CWE-22 CVE-2020-8983: An arbitrary file write issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x
CVE-2020-8983: An arbitrary file write issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, which allows remote code execution. RCE and file access is granted to everything hosted by ShareFile, be it on-premise or inside Citrix Cloud itself (both are internet facing). NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-7473
Citrix
CVE-2020-8982: An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the mos
vendor_citrix·2020-05-07·CVSS 7.5
CVE-2020-8982 [HIGH] CWE-22 CVE-2020-8982: An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the mos
CVE-2020-8982: An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020. RCE and file access is granted to everything hosted by ShareFile, be it on-premise or inside Citrix Cloud itself (both are internet facing). NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-7473 and CVE-2020-8983.
Citrix
Citrix Security Bulletin CTX269106
vendor_citrix·CVSS 7.5
CVE-2020-7473 [HIGH] Citrix Security Bulletin CTX269106
Citrix Security Bulletin CTX269106
CVE References: CVE-2020-7473, CVE-2020-8982, CVE-2020-8983, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://drive.google.com/file/d/15iy6S8CN9Hku0a2zrcrXK9FAocmQvMwT/view?usp=sharinghttps://support.citrix.com/article/CTX269106https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/https://drive.google.com/file/d/15iy6S8CN9Hku0a2zrcrXK9FAocmQvMwT/view?usp=sharinghttps://support.citrix.com/article/CTX269106https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/
2020-05-07
Published