CVE-2019-13608
Published: 29 August 2019
Summary
CVE-2019-13608 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Citrix Storefront Server. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Citrix StoreFront Server versions before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) are affected by an XML External Entity vulnerability tracked as CVE-2019-13608 and CWE-611. The flaw received a CVSS 3.1 score of 7.5 with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
An unauthenticated remote attacker can send crafted XML input over the network to exploit the issue and obtain unauthorized access to sensitive files or internal resources on the server.
The referenced Citrix advisory CTX251988 describes available updates and configuration changes to resolve the exposure, while inclusion in the CISA Known Exploited Vulnerabilities catalog confirms observed real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-5046
Vulnerability details
Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of XML input to block external entity declarations that enable the XXE attack described in CVE-2019-13608.
Mandates timely application of vendor patches (CTX251988) that eliminate the XXE flaw in the affected Citrix StoreFront versions.
Requires secure configuration of XML parsers to disable external entity processing, directly addressing the root cause of this unauthenticated remote XXE exposure.