CVE-2023-24488
published 2023-07-10CVE-2023-24488: Cross site scripting vulnerability in Citrix ADC and Citrix Gateway in allows and attacker to perform cross site scripting
PriorityP279medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
80.91%
99.6th percentile
Cross site scripting vulnerability in Citrix ADC and Citrix Gateway in allows and attacker to perform cross site scripting
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | application_delivery_controller | >= 12.1 < 12.1-55.296 | 12.1-55.296 |
| citrix | application_delivery_controller | >= 12.1 < 12.1-65.35 | 12.1-65.35 |
| citrix | application_delivery_controller | >= 13.0 < 13.0-90.11 | 13.0-90.11 |
| citrix | application_delivery_controller | >= 13.1 < 13.1-45.61 | 13.1-45.61 |
| citrix | citrix_adc | — | — |
| citrix | citrix_adc_and_citrix_gateway | >= 12.1 < 12.1-65.35 | 12.1-65.35 |
| citrix | citrix_adc_and_citrix_gateway | >= 12.1-FIPS < 12.1-55.296 | 12.1-55.296 |
| citrix | citrix_adc_and_citrix_gateway | >= 12.1-NDcPP < 12.1-55.296 | 12.1-55.296 |
| citrix | citrix_adc_and_citrix_gateway | >= 13.0 < 13.0-90.11 | 13.0-90.11 |
| citrix | citrix_adc_and_citrix_gateway | >= 13.1 < 13.1-45.61 | 13.1-45.61 |
| citrix | citrix_adc_and_citrix_gateway | >= 13.1-FIPS < 13.1-37.150 | 13.1-37.150 |
| citrix | citrix_gateway | — | — |
| citrix | gateway | >= 12.1 < 12.1-65.35 | 12.1-65.35 |
| citrix | gateway | >= 13.0 < 13.0-90.11 | 13.0-90.11 |
| citrix | gateway | >= 13.1 < 13.1-45.61 | 13.1-45.61 |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/oauth/idp/logout?post_logout_redirect_uri=%0D%0A%0D%0A%3Cbody+x=%27&%27onload=%22(alert)(%27citrix+akamai+bypass%27)%22%3E
url/oauth/idp/logout?post_logout_redirect_uri=%0d%0a%0d%0aalert(document.domain)
path/oauth/idp/logout
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Citrix Gateway CVE-2023-24488 Exploit Attempt M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oauth/idp/logout?post_logout_redirect_uri|3d|"; fast_pattern; startswith; reference:url,blog.assetnote.io/2023/06/29/binary-reversing-citrix-xss/; reference:url,support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202324487-cve202324488; reference:cve,2023-24488; classtype:web-application-attack; sid:2046719; rev:1; metadata:affected_product Citrix, attack_target Client_Endpoint, created_at 2023_07_03, cve CVE_2023_24488, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Low, signature_severity Major, tag XSS, tag Open_Redirect, updated_at 2023_07_03; target:src_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Citrix Gateway CVE-2023-24488 Exploit Attempt M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oauth/idp/logout?post_logout_redirect_uri|3d 0d 0a 0d 0a|"; fast_pattern; startswith; reference:url,blog.assetnote.io/2023/06/29/binary-reversing-citrix-xss/; reference:url,support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202324487-cve202324488; reference:cve,2023-24488; classtype:web-application-attack; sid:2046720; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_07_03, cve CVE_2023_24488, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Low, signature_severity Major, updated_at 2023_07_03; target:src_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Citrix Gateway CVE-2023-24488 Exploit Attempt M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oauth/idp/logout?post_logout_redirect_uri|3d|ws|3a 2f 2f|localhost/"; fast_pattern; startswith; content:"|0d 0a 0d 0a|"; reference:url,blog.assetnote.io/2023/06/29/binary-reversing-citrix-xss/; reference:url,support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202324487-cve202324488; reference:cve,2023-24488; classtype:web-application-attack; sid:2046721; rev:1; metadata:affected_product Citrix, attack_target Client_Endpoint, created_at 2023_07_03, cve CVE_2023_24488, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Low, signature_severity Major, tag XSS, updated_at 2023_07_03; target:src_ip;)
- →Exploit targets the /oauth/idp/logout endpoint via GET request with a crafted post_logout_redirect_uri parameter containing CRLF injection sequences (%0D%0A or |0d 0a|) to inject HTML/script content into the HTTP response body.
- →Successful exploit probe returns HTTP 302 redirect with reflected XSS payload (alert(document.domain) or inline script) in the response body with Content-Type: text/html.
- →Appliance must be configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server for the vulnerability to be exploitable. ↗
- →M3 variant uses a WebSocket-style URI (ws://localhost/) in the post_logout_redirect_uri parameter followed by a double CRLF sequence as an alternative bypass technique.
- →Shodan/FOFA/Google dork for exposed Citrix Gateway instances: search for title 'Citrix Gateway'.
- ·Vulnerability is only exploitable when the Citrix ADC/Gateway appliance is configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) OR as an AAA virtual server. Appliances not in these roles are not affected. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Citrix
Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-24487, CVE-2023-24488
vendor_citrix·2024-07-13·CVSS 7.5
CVE-2023-24487 [HIGH] CWE-253 Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-24487, CVE-2023-24488
Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-24487, CVE-2023-24488
Pre-requisites CWE CVE-2023-24488 Cross site scripting Appliance must be configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server CWE-79 CVE-2023-24487 Arbitrary file read Access to NSIP or SNIP with management interface access CWE-253 Instructions Affected customers of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible: Citrix ADC and Citrix Gateway 13.1-45.61 and later releases Citrix ADC and Citrix Gateway 13.0-90.11 and later releases of 13.0 Citrix ADC and Citrix Gateway 12.1-65.35 and later releases of 12.1 Citrix ADC 12.1-FIPS 12.1-55.296 and later releases of 12.1-FIPS Citrix ADC 13.1-F
Citrix
CVE-2023-24488: Cross site scripting vulnerability in Citrix ADC and Citrix Gateway in allows and attacker to perform cross site scripting
vendor_citrix·2023-07-10·CVSS 6.1
CVE-2023-24488 [MEDIUM] CWE-79 CVE-2023-24488: Cross site scripting vulnerability in Citrix ADC and Citrix Gateway in allows and attacker to perform cross site scripting
CVE-2023-24488: Cross site scripting vulnerability in Citrix ADC and Citrix Gateway in allows and attacker to perform cross site scripting
GHSA
GHSA-9p94-mp85-fwj9: Cross site scripting vulnerability in Citrix ADC and Citrix Gateway? in allows and attacker to perform cross site scripting
ghsa_unreviewed·2023-07-10
CVE-2023-24488 [MEDIUM] CWE-79 GHSA-9p94-mp85-fwj9: Cross site scripting vulnerability in Citrix ADC and Citrix Gateway? in allows and attacker to perform cross site scripting
Cross site scripting vulnerability in Citrix ADC and Citrix Gateway? in allows and attacker to perform cross site scripting
VulnCheck
Citrix ShareFile Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2023·CVSS 6.1
CVE-2023-24488 [MEDIUM] Citrix ShareFile Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Citrix ShareFile Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross site scripting vulnerability in Citrix ADC and Citrix Gateway in allows and attacker to perform cross site scripting
Affected: Citrix ShareFile
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&host_type=src&vulnerability=cve-2023-24488; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-21&host_type=src&vulnerability=cve-2023-24488; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-22&host_typ
Suricata
ET WEB_SPECIFIC_APPS Possible Citrix Gateway CVE-2023-24488 Exploit Attempt M3
suricata·2023-07-03·CVSS 6.1
CVE-2023-24488 [MEDIUM] ET WEB_SPECIFIC_APPS Possible Citrix Gateway CVE-2023-24488 Exploit Attempt M3
ET WEB_SPECIFIC_APPS Possible Citrix Gateway CVE-2023-24488 Exploit Attempt M3
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Citrix Gateway CVE-2023-24488 Exploit Attempt M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oauth/idp/logout?post_logout_redirect_uri|3d|ws|3a 2f 2f|localhost/"; fast_pattern; startswith; content:"|0d 0a 0d 0a|"; reference:url,blog.assetnote.io/2023/06/29/binary-reversing-citrix-xss/; reference:url,support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202324487-cve202324488; reference:cve,2023-24488; classtype:web-application-attack; sid:2046721; rev:1; metadata:affected_product Citrix, attack_target Client_Endpoint, created_at 2023_07_03, cve CVE_2023_24488, dep
Suricata
ET WEB_SPECIFIC_APPS Possible Citrix Gateway CVE-2023-24488 Exploit Attempt M1
suricata·2023-07-03·CVSS 6.1
CVE-2023-24488 [MEDIUM] ET WEB_SPECIFIC_APPS Possible Citrix Gateway CVE-2023-24488 Exploit Attempt M1
ET WEB_SPECIFIC_APPS Possible Citrix Gateway CVE-2023-24488 Exploit Attempt M1
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Citrix Gateway CVE-2023-24488 Exploit Attempt M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oauth/idp/logout?post_logout_redirect_uri|3d|"; fast_pattern; startswith; reference:url,blog.assetnote.io/2023/06/29/binary-reversing-citrix-xss/; reference:url,support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202324487-cve202324488; reference:cve,2023-24488; classtype:web-application-attack; sid:2046719; rev:1; metadata:affected_product Citrix, attack_target Client_Endpoint, created_at 2023_07_03, cve CVE_2023_24488, deployment Perimeter, deployment SSLDecrypt, perfo
Suricata
ET WEB_SPECIFIC_APPS Possible Citrix Gateway CVE-2023-24488 Exploit Attempt M2
suricata·2023-07-03·CVSS 6.1
CVE-2023-24488 [MEDIUM] ET WEB_SPECIFIC_APPS Possible Citrix Gateway CVE-2023-24488 Exploit Attempt M2
ET WEB_SPECIFIC_APPS Possible Citrix Gateway CVE-2023-24488 Exploit Attempt M2
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Citrix Gateway CVE-2023-24488 Exploit Attempt M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oauth/idp/logout?post_logout_redirect_uri|3d 0d 0a 0d 0a|"; fast_pattern; startswith; reference:url,blog.assetnote.io/2023/06/29/binary-reversing-citrix-xss/; reference:url,support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202324487-cve202324488; reference:cve,2023-24488; classtype:web-application-attack; sid:2046720; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_07_03, cve CVE_2023_24488, deployment Perimeter, deployment SSLDecrypt, performance_impact
Nuclei
Citrix Gateway and Citrix ADC - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2023-24488 [MEDIUM] Citrix Gateway and Citrix ADC - Cross-Site Scripting
Citrix Gateway and Citrix ADC - Cross-Site Scripting
Citrix ADC and Citrix Gateway versions before 13.1 and 13.1-45.61, 13.0 and 13.0-90.11, 12.1 and 12.1-65.35 contain a cross-site scripting vulnerability due to improper input validation.
Template:
id: CVE-2023-24488
info:
name: Citrix Gateway and Citrix ADC - Cross-Site Scripting
author: johnk3r,DhiyaneshDk
severity: medium
description: |
Citrix ADC and Citrix Gateway versions before 13.1 and 13.1-45.61, 13.0 and 13.0-90.11, 12.1 and 12.1-65.35 contain a cross-site scripting vulnerability due to improper input validation.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the user's browser, potentially leading to session hijacking, defacement, or theft of se
2023-07-10
Published
Exploited in the wild