Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. CVE-2023-24488: Citrix Gateway Reflected XSS

Author: Government Digital Service (GDS)

CVE-2023-24488: Citrix Gateway Reflected XSS

What this means

A vulnerability exists in Citrix ADC and Citrix Gateway that can lead to Cross-Site Scripting (XSS) attacks. This occurs when user-supplied input is not properly sanitised, allowing malicious scripts to be injected and executed in the context of the user’s browser.

Why this is a problem

Affected versions of Citrix Gateway do not handle input parameters properly. This makes it possible for attackers to craft malicious links that trick users into executing arbitrary JavaScript code when the link is accessed.

This can lead to:

  • data theft – attackers can steal sensitive user information such as session tokens, cookies or other confidential data
  • unauthorised actions – attackers can impersonate a legitimate user, gaining unauthorised access to sensitive resources or data
  • reputational damage – a successful exploit may damage the organisation’s reputation and cause users to lose trust in it
  • compliance violations – organisations subject to regulations like the UK General Data Protection Regulation (GDPR) or Payment Card Industry Data Security Standard (PCI DSS) may face fines or penalties for not addressing the vulnerability
  • wider attacks – XSS vulnerabilities can be used as a first step for other attacks, such as delivering malware or phishing campaigns

How to check if the problem is there

To check if the vulnerability exists, an administrator should:

  • verify the software version
  • conduct security testing

Verifying the software version

Check the version of Citrix Gateway deployed. The affected versions are:

  • Citrix ADC and Citrix Gateway 13.1 before 13.1-45.61
  • Citrix ADC and Citrix Gateway 13.0 before 13.0-90.11
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.35
  • Citrix ADC 12.1-FIPS before 12.1-55.296
  • Citrix ADC 12.1-NDcPP before 12.1-55.296

Conducting security testing

You should perform a penetration test or vulnerability scan to identify Reflected XSS issues. Use tools like Burp Suite or OWASP ZAP to test input fields and URLs for improper input sanitisation. Look for any reflected input in server responses that do not have proper encoding.

How to fix it

To mitigate against CVE-2023-24488, an administrator should:

  • update the affected Citrix Gateway to the latest version
  • enable Web Application Firewalls (WAF) or Next Generation Firewall (NGFW) protection, or both

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now