Description of Problem
A reflected cross-site scripting (XSS) issue has been discovered in Citrix StoreFront when it is configured to use SAML authentication. If exploited, this issue would allow an attacker to execute client-side JavaScript in the same context as a legitimate user. This issue has the following identifier:
CVE-ID | Description | Type | Pre-requisites |
CVE-2022-27503 | Reflected Cross Site Scripting (XSS) | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | A victim user must have a current session on a StoreFront that has been configured to use SAML authentication |
The issue affects the following supported versions of Citrix StoreFront:
- Citrix StoreFront 1912 LTSR up to and including CU4 (1912.0.4000)
- Citrix StoreFront 3.12 for 7.15 LTSR up to and including CU8 (3.12.8000)
Affected versions of Citrix Storefront are included within the following supported versions of Citrix Virtual Apps and Desktops:
- Current Release (CR) versions of Citrix Virtual Apps and Desktops up to and including 2112
- Citrix Virtual Apps and Desktops 1912 LTSR up to and including CU4
- Citrix XenApp & XenDesktop 7.15 LTSR up to and including CU8