Vulnerability Name:

CVE-2020-8198 (CCN-184694)

Assigned:2020-07-07
Published:2020-07-07
Updated:2020-07-13
Summary:Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in Stored Cross-Site Scripting (XSS).
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2020-8198

Source: XF
Type: UNKNOWN
citrix-cve20208198-xss(184694)

Source: CCN
Type: CTX276688
Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update

Source: MISC
Type: Vendor Advisory
https://support.citrix.com/article/CTX276688

Vulnerable Configuration:Configuration 1:
  • cpe:/o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:* (Version >= 10.5 and < 10.5-70.18)
  • OR cpe:/o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:* (Version >= 11.1 and < 11.1-64.14)
  • OR cpe:/o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:* (Version >= 12.0 and < 12.0-63.21)
  • OR cpe:/o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:* (Version >= 12.1 and < 12.1-57.18)
  • OR cpe:/o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:* (Version >= 13.0 and < 13.0-58.30)
  • AND
  • cpe:/h:citrix:application_delivery_controller:-:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:citrix:netscaler_gateway_firmware:*:*:*:*:*:*:*:* (Version >= 10.5 and < 10.5-70.18)
  • OR cpe:/o:citrix:netscaler_gateway_firmware:*:*:*:*:*:*:*:* (Version >= 11.1 and < 11.1-64.14)
  • OR cpe:/o:citrix:netscaler_gateway_firmware:*:*:*:*:*:*:*:* (Version >= 12.0 and < 12.0-63.21)
  • OR cpe:/o:citrix:netscaler_gateway_firmware:*:*:*:*:*:*:*:* (Version >= 12.1 and < 12.1-57.18)
  • AND
  • cpe:/h:citrix:netscaler_gateway:-:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:citrix:gateway_firmware:*:*:*:*:*:*:*:* (Version >= 13.0 and < 13.0-58.30)
  • AND
  • cpe:/h:citrix:gateway:-:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/o:citrix:sd-wan_wanop:*:*:*:*:*:*:*:* (Version >= 10.2 and < 10.2.7)
  • OR cpe:/o:citrix:sd-wan_wanop:*:*:*:*:*:*:*:* (Version >= 11.0 and < 11.0.3d)
  • OR cpe:/o:citrix:sd-wan_wanop:*:*:*:*:*:*:*:* (Version >= 11.1 and < 11.1.1a)
  • AND
  • cpe:/h:citrix:4000-wo:-:*:*:*:*:*:*:*
  • OR cpe:/h:citrix:4100-wo:-:*:*:*:*:*:*:*
  • OR cpe:/h:citrix:5000-wo:-:*:*:*:*:*:*:*
  • OR cpe:/h:citrix:5100-wo:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:citrix:gateway_firmware:11.1:*:*:*:*:*:*:*
  • OR cpe:/o:citrix:gateway_firmware:12.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    citrix application delivery controller firmware *
    citrix application delivery controller firmware *
    citrix application delivery controller firmware *
    citrix application delivery controller firmware *
    citrix application delivery controller firmware *
    citrix application delivery controller -
    citrix netscaler gateway firmware *
    citrix netscaler gateway firmware *
    citrix netscaler gateway firmware *
    citrix netscaler gateway firmware *
    citrix netscaler gateway -
    citrix gateway firmware *
    citrix gateway -
    citrix sd-wan wanop *
    citrix sd-wan wanop *
    citrix sd-wan wanop *
    citrix 4000-wo -
    citrix 4100-wo -
    citrix 5000-wo -
    citrix 5100-wo -
    citrix gateway firmware 11.1
    citrix gateway firmware 12.0