cbcvebase.
CVE-2023-6184
published 2024-01-18

CVE-2023-6184: Cross SiteScripting vulnerability in Citrix Session Recording allows attacker to perform Cross Site Scripting

PriorityP276high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.61%
98.7th percentile
Cross SiteScripting vulnerability in Citrix Session Recording allows attacker to perform Cross Site Scripting

Affected

10 ranges
VendorProductVersion rangeFixed in
citrixcitrix_session_recording
citrixcitrix_virtual_apps_and_desktops
citrixsession_recording
citrixvirtual_apps_and_desktops<= 2311
citrixvirtual_apps_and_desktops
citrixvirtual_apps_and_desktops
citrixxenserver
cloud_software_groupcitrix_session_recording>= 1912 LTSR < CU8 hotfix 19.12.8100.4CU8 hotfix 19.12.8100.4
cloud_software_groupcitrix_session_recording>= 2203 LTSR < CU4CU4
cloud_software_groupcitrix_session_recording>= 2311 Current Release < 00

Detection & IOCsextracted from sources · hover to see the quote

path/SessionRecordingBroker/RestApiStat.rem
commandPOST /SessionRecordingBroker/RestApiStat.rem
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Citrix Session Recording .NET Remoting Remote Code Execution (CVE-2023-6184)"; flow:established,to_server; http.uri; content:"/SessionRecordingBroker/RestApiStat.rem"; fast_pattern; http.header; to_lowercase; content:"soapaction|3a 20|"; http.request_body; content:!"SOAP-ENV:Body"; content:"|3a|TextFormattingRunProperties"; content:"sd|3a|ProcessStartInfo|20|Arguments|3d|"; http.method; content:"POST"; reference:url,www.assetnote.io/resources/research/continuing-the-citrix-saga-cve-2023-5914-cve-2023-6184; reference:cve,2023-6184; classtype:web-application-attack; sid:2065768; rev:1;)
bytes
|3a|TextFormattingRunProperties
bytes
sd|3a|ProcessStartInfo|20|Arguments|3d|
  • CVE-2023-6184 exploits .NET Remoting via a POST to /SessionRecordingBroker/RestApiStat.rem. Requests contain a SOAPAction header but lack a SOAP-ENV:Body element, and the body includes TextFormattingRunProperties and ProcessStartInfo Arguments — hallmarks of a .NET Remoting deserialization RCE gadget chain.
  • Attacker must be an authenticated user with admin privileges to the Session Recording server to exploit CVE-2023-6184 for RCE.
  • The vulnerability is classified as CWE-913 (Improper Control of Dynamically-Managed Code Resources), consistent with unsafe .NET Remoting deserialization leading to arbitrary code execution.
  • Emerging Threats SID 2065768 (rev:1, created 2025-11-14) covers CVE-2023-6184 inbound exploitation attempts targeting $HOME_NET on any port; deploy on perimeter, internal, and SSLDecrypt sensors with TLS inspection enabled.
  • ·TLS inspection (SSLDecrypt) is required for the Snort/Suricata rule (SID 2065768) to fire, as the .NET Remoting traffic to /SessionRecordingBroker/RestApiStat.rem will be encrypted in typical deployments.
  • ·Exploitation requires the attacker to already hold authenticated admin-level access to the Citrix Session Recording server; unauthenticated exploitation is not possible for CVE-2023-6184.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.