Description

Citrix Endpoint Management, aka XenMobile, is used for managing employee mobile devices and mobile applications.

A path traversal vulnerability exists in Citrix Endpoint Management. This vulnerability allows an unauthorized user to read arbitrary files, including configuration files containing passwords.

Remediation

Upgrade to the latest version of Citrix Endpoint Management (CEM), also referred to as XenMobile. The official patch removes the file /opt/sas/sw/tomcat/inst1/webapps/ROOT/jsp/help-sb-download.jsp.

References

Path Traversal on Citrix XenMobile Server

Citrix Endpoint Management (CEM) Security Update

Related Vulnerabilities

WordPress 3.7.x Multiple Vulnerabilities (3.7 - 3.7.15)

WordPress Plugin Enable Media Replace Directory Traversal (3.6.3)

uWSGI Path Traversal vulnerability

WordPress Plugin Customer Reviews for WooCommerce Local File Inclusion (5.15.0)

WordPress Plugin Migration, Backup, Staging-WPvivid Arbitrary File Deletion (0.9.76)

Severity

High

Classification

CVE-2020-8209 CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Directory Traversal