CVE-2023-6184
published 2024-01-18CVE-2023-6184: Cross SiteScripting vulnerability in Citrix Session Recording allows attacker to perform Cross Site Scripting
PriorityP276high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.61%
98.7th percentile
Cross SiteScripting vulnerability in Citrix Session Recording allows attacker to perform Cross Site Scripting
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_session_recording | — | — |
| citrix | citrix_virtual_apps_and_desktops | — | — |
| citrix | session_recording | — | — |
| citrix | virtual_apps_and_desktops | <= 2311 | — |
| citrix | virtual_apps_and_desktops | — | — |
| citrix | virtual_apps_and_desktops | — | — |
| citrix | xenserver | — | — |
| cloud_software_group | citrix_session_recording | >= 1912 LTSR < CU8 hotfix 19.12.8100.4 | CU8 hotfix 19.12.8100.4 |
| cloud_software_group | citrix_session_recording | >= 2203 LTSR < CU4 | CU4 |
| cloud_software_group | citrix_session_recording | >= 2311 Current Release < 0 | 0 |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /SessionRecordingBroker/RestApiStat.rem
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Citrix Session Recording .NET Remoting Remote Code Execution (CVE-2023-6184)"; flow:established,to_server; http.uri; content:"/SessionRecordingBroker/RestApiStat.rem"; fast_pattern; http.header; to_lowercase; content:"soapaction|3a 20|"; http.request_body; content:!"SOAP-ENV:Body"; content:"|3a|TextFormattingRunProperties"; content:"sd|3a|ProcessStartInfo|20|Arguments|3d|"; http.method; content:"POST"; reference:url,www.assetnote.io/resources/research/continuing-the-citrix-saga-cve-2023-5914-cve-2023-6184; reference:cve,2023-6184; classtype:web-application-attack; sid:2065768; rev:1;)
bytes
|3a|TextFormattingRunProperties
bytes
sd|3a|ProcessStartInfo|20|Arguments|3d|
- →CVE-2023-6184 exploits .NET Remoting via a POST to /SessionRecordingBroker/RestApiStat.rem. Requests contain a SOAPAction header but lack a SOAP-ENV:Body element, and the body includes TextFormattingRunProperties and ProcessStartInfo Arguments — hallmarks of a .NET Remoting deserialization RCE gadget chain.
- →Attacker must be an authenticated user with admin privileges to the Session Recording server to exploit CVE-2023-6184 for RCE. ↗
- →The vulnerability is classified as CWE-913 (Improper Control of Dynamically-Managed Code Resources), consistent with unsafe .NET Remoting deserialization leading to arbitrary code execution. ↗
- →Emerging Threats SID 2065768 (rev:1, created 2025-11-14) covers CVE-2023-6184 inbound exploitation attempts targeting $HOME_NET on any port; deploy on perimeter, internal, and SSLDecrypt sensors with TLS inspection enabled.
- ·TLS inspection (SSLDecrypt) is required for the Snort/Suricata rule (SID 2065768) to fire, as the .NET Remoting traffic to /SessionRecordingBroker/RestApiStat.rem will be encrypted in typical deployments.
- ·Exploitation requires the attacker to already hold authenticated admin-level access to the Citrix Session Recording server; unauthenticated exploitation is not possible for CVE-2023-6184. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Citrix
CVE-2023-6184: Cross SiteScripting vulnerability in Citrix Session Recording allows attacker to perform Cross Site Scripting
vendor_citrix·2024-01-18·CVSS 5.0
CVE-2023-6184 [MEDIUM] CWE-913 CVE-2023-6184: Cross SiteScripting vulnerability in Citrix Session Recording allows attacker to perform Cross Site Scripting
CVE-2023-6184: Cross SiteScripting vulnerability in Citrix Session Recording allows attacker to perform Cross Site Scripting
Citrix
Citrix Session Recording Security Bulletin for CVE-2023-6184
vendor_citrix·2024-01-16·CVSS 7.2
CVE-2023-6184 [HIGH] CWE-913 Citrix Session Recording Security Bulletin for CVE-2023-6184
Citrix Session Recording Security Bulletin for CVE-2023-6184
Pre-requisites CWE CVE-2023-6184 An authenticated user can perform RCE Attacker must possess admin privileges to the Session Recording server CWE-913 Instructions Cloud Software Group strongly urges affected customers of Citrix Session Recording to install the relevant updated versions of Citrix Session Recording as soon their upgrade schedule permits: Current Release (CR) Citrix Virtual Apps and Desktops 2311 and later Long Term Service Release (LTSR) Citrix Virtual Apps and Desktops 1912 LTSR CU8 hotfix 19.12.8100.4* and later Citrix Virtual Apps and Desktops 2203 LTSR CU4 and later Please use the following link for downloading the builds: https://www.citrix.com/downloads/ * Citrix Virtual Apps and Desktops 1912 LTSR CU8 hotfi
GHSA
GHSA-28qj-gvxv-p5g9: Cross SiteScripting vulnerability in Citrix Session Recording allows attacker to perform Cross Site Scripting
ghsa_unreviewed·2024-01-18
CVE-2023-6184 [MEDIUM] CWE-79 GHSA-28qj-gvxv-p5g9: Cross SiteScripting vulnerability in Citrix Session Recording allows attacker to perform Cross Site Scripting
Cross SiteScripting vulnerability in Citrix Session Recording allows attacker to perform Cross Site Scripting
VulnCheck
Citrix virtual_apps_and_desktops Improper Control of Dynamically-Managed Code Resources
vulncheck·2023·CVSS 5.0
CVE-2023-6184 [MEDIUM] Citrix virtual_apps_and_desktops Improper Control of Dynamically-Managed Code Resources
Citrix virtual_apps_and_desktops Improper Control of Dynamically-Managed Code Resources
Cross SiteScripting vulnerability in Citrix Session Recording allows attacker to perform Cross Site Scripting
Affected: Citrix virtual_apps_and_desktops
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-07-18&host_type=src&vulnerability=cve-2023-6184; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-07-20&host_type=src&vulnerability=cve-2023-6184; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-07-21&host_type=src&vulnera
Suricata
ET WEB_SPECIFIC_APPS Citrix StoreFront XML Parsing Exception Response (CVE-2023-5914)
suricata·2025-11-14·CVSS 5.4
CVE-2023-5914 [MEDIUM] ET WEB_SPECIFIC_APPS Citrix StoreFront XML Parsing Exception Response (CVE-2023-5914)
ET WEB_SPECIFIC_APPS Citrix StoreFront XML Parsing Exception Response (CVE-2023-5914)
Rule: alert http $HOME_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Citrix StoreFront XML Parsing Exception Response (CVE-2023-5914)"; flow:established,to_client; flowbits:isset,ET.Citrix.CVE_2023_5914; http.response_body; content:"System.Xml.XmlException"; pcre:"/^(?:(?!\x3c\x2fdiv\x3e).)+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]+|c(?:hange|lick)|(?:un)?load|focus|blur|error)|s(?:cript|tyle\x3d))/R"; http.cookie; content:"Citrix_AuthSvc|3d|"; content:"path=/Citrix/teststoreAuth"; fast_pattern; http.stat_code; content:"200"; reference:url,www.assetnote.io/resources/research/continuing-the-citrix-saga-cve-2023-5914-cve-2023-6184; classtype:web-application-attack; sid:206577
Suricata
ET WEB_SPECIFIC_APPS Citrix Session Recording .NET Remoting Remote Code Execution (CVE-2023-6184)
suricata·2025-11-14·CVSS 5.0
CVE-2023-6184 [MEDIUM] ET WEB_SPECIFIC_APPS Citrix Session Recording .NET Remoting Remote Code Execution (CVE-2023-6184)
ET WEB_SPECIFIC_APPS Citrix Session Recording .NET Remoting Remote Code Execution (CVE-2023-6184)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Citrix Session Recording .NET Remoting Remote Code Execution (CVE-2023-6184)"; flow:established,to_server; http.uri; content:"/SessionRecordingBroker/RestApiStat.rem"; fast_pattern; http.header; to_lowercase; content:"soapaction|3a 20|"; http.request_body; content:!"SOAP-ENV:Body"; content:"|3a|TextFormattingRunProperties"; content:"sd|3a|ProcessStartInfo|20|Arguments|3d|"; http.method; content:"POST"; reference:url,www.assetnote.io/resources/research/continuing-the-citrix-saga-cve-2023-5914-cve-2023-6184; reference:cve,2023-6184; classtype:web-application-attack; sid:2065768; rev:1; metadata:affected_product Citrix, attack_
Suricata
ET WEB_SPECIFIC_APPS Citrix StoreFront Reflected Cross-Site Scripting (CVE-2023-5914)
suricata·2025-11-14·CVSS 5.4
CVE-2023-5914 [MEDIUM] ET WEB_SPECIFIC_APPS Citrix StoreFront Reflected Cross-Site Scripting (CVE-2023-5914)
ET WEB_SPECIFIC_APPS Citrix StoreFront Reflected Cross-Site Scripting (CVE-2023-5914)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Citrix StoreFront Reflected Cross-Site Scripting (CVE-2023-5914)"; flow:established,to_server; flowbits:set,ET.Citrix.CVE_2023_5914; http.uri; content:"/Citrix/teststoreAuth/SamlTest"; fast_pattern; http.method; content:"POST"; reference:url,www.assetnote.io/resources/research/continuing-the-citrix-saga-cve-2023-5914-cve-2023-6184; reference:cve,2023-5914; classtype:web-application-attack; sid:2065778; rev:1; metadata:affected_product Citrix, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_14, cve CVE_2023_5914, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, ta
Nuclei
Citrix StoreFront - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2023-5914 [MEDIUM] Citrix StoreFront - Cross-Site Scripting
Citrix StoreFront - Cross-Site Scripting
Reflected Cross-Site Scripting issue which is exploitable without authentication. This vulnerability was exploitable through coercing an error message during an XML parsing procedure in the SSO flow.
Template:
id: CVE-2023-5914
info:
name: Citrix StoreFront - Cross-Site Scripting
author: DhiyaneshDK
severity: medium
description: |
Reflected Cross-Site Scripting issue which is exploitable without authentication. This vulnerability was exploitable through coercing an error message during an XML parsing procedure in the SSO flow.
impact: |
Unauthenticated attackers can inject malicious JavaScript via reflected XSS during XML parsing in the SSO flow, potentially stealing user credentials or session tokens.
remediation: |
Apply Citrix security update
No writeups or analysis indexed.
2024-01-18
Published
Exploited in the wild