CVE-2016-2789 - Persistent Cross-Site Scripting Vulnerability in Citrix XenMobile Server 10.x Web User Interface

A Cross-Site Scripting (XSS) vulnerability has been identified in XenMobile Server 10.x.

This vulnerability could potentially be used to execute malicious client-side script in the same context as legitimate content from the web server; if this vulnerability is used to execute script in the browser of an authenticated administrator then the script may be able to gain access to the administrator’s session or other potentially sensitive information.

This vulnerability has been assigned the following CVE number:

• CVE-2016-2789: Persistent Cross-Site Scripting vulnerability in Citrix XenMobile Server 10.x

This vulnerability affects the following versions of Citrix XenMobile Server:

• All versions of Citrix XenMobile Server 10.0
• Citrix XenMobile Server 10.1 earlier than Rolling Patch 4
• Citrix XenMobile Server 10.3 earlier than Rolling Patch 1

This vulnerability is not present in Citrix XenMobile Device Manager server 9.0 or earlier, formerly known as Zenprise Device Manager server.  

This vulnerability has been addressed in new versions of the Citrix XenMobile Server software. Citrix recommends that customers upgrade to the following versions:

• Citrix XenMobile 10.3 Rolling Patch 1
• Citrix XenMobile 10.1 Rolling Patch 4 

These new versions can be downloaded from the following locations:

• http://support.citrix.com/article/CTX206381 
• http://support.citrix.com/article/CTX205148

Citrix recommends that customers using affected versions of XenMobile upgrade as possible.

Citrix thanks Ken Cijsouw of Sincerus (https://www.sincerus.nl) for working with us to protect Citrix customers.