Description

Citrix Endpoint Management, aka XenMobile, is used for managing employee mobile devices and mobile applications.

A path traversal vulnerability exists in Citrix Endpoint Management. This vulnerability allows an unauthorized user to read arbitrary files, including configuration files containing passwords.

Remediation

Upgrade to the latest version of Citrix Endpoint Management (CEM), also referred to as XenMobile. The official patch removes the file /opt/sas/sw/tomcat/inst1/webapps/ROOT/jsp/help-sb-download.jsp.

References

Path Traversal on Citrix XenMobile Server

Citrix Endpoint Management (CEM) Security Update

Related Vulnerabilities

WordPress Plugin myEASYbackup 'dwn_file' Parameter Directory Traversal (1.0.8.1)

WordPress Plugin Adifier System Multiple Vulnerabilities (3.1.3)

WordPress Plugin Snow Monkey Forms Directory Traversal (5.1.1)

WebLogic Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2021-29425)

SolarWinds Serv-U Directory Traversal (CVE-2024-28995)

Severity

High

Classification

CVE-2020-8209 CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Directory Traversal