Description

Citrix Endpoint Management, aka XenMobile, is used for managing employee mobile devices and mobile applications.

A path traversal vulnerability exists in Citrix Endpoint Management. This vulnerability allows an unauthorized user to read arbitrary files, including configuration files containing passwords.

Remediation

Upgrade to the latest version of Citrix Endpoint Management (CEM), also referred to as XenMobile. The official patch removes the file /opt/sas/sw/tomcat/inst1/webapps/ROOT/jsp/help-sb-download.jsp.

References

Path Traversal on Citrix XenMobile Server

Citrix Endpoint Management (CEM) Security Update

Related Vulnerabilities

WordPress Plugin WP Background Takeover Directory Traversal (4.1.4)

WordPress Plugin Contact Form by WPForms-Drag & Drop Form Builder for WordPress Directory Traversal (1.7.5.3)

WordPress 4.1.x Multiple Vulnerabilities (4.1 - 4.1.18)

WordPress 5.3.x Multiple Vulnerabilities (5.3 - 5.3.14)

WordPress Plugin Wholesale Market for WooCommerce Directory Traversal (1.0.8)

Severity

High

Classification

CVE-2020-8209 CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Directory Traversal