Description of Problem
Vulnerabilities have been discovered in multiple Citrix SD-WAN products. These vulnerabilities, if exploited, could result in the following security issues:
CVE-ID | Description | CWE | Affected Products | Pre-conditions |
CVE-2022-27505 | Reflected cross site scripting (XSS)
| CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | Citrix SD-WAN Standard/Premium Edition Appliance | Victim user must have a current session on the vulnerable device. |
CVE-2022-27506 | Hard-coded credentials allow administrators to access the shell via the SD-WAN CLI | CWE-798: Use of Hard-coded Credentials | Citrix SD-WAN Center Management Console, Citrix SD-WAN Standard/Premium Edition Appliance, and Citrix SD-WAN Orchestrator for On-Premises | Admin access to SD-WAN CLI |
The following supported versions of Citrix SD-WAN are affected by the vulnerabilities
CVE-2022-27505 – High Severity
Citrix SD-WAN Standard/Premium Edition Appliance before 11.4.3a
CVE-2022-27506 – Low Severity
Citrix SD-WAN Center Management Console versions before 11.4.3
Citrix SD-WAN Standard/Premium Edition Appliance versions before 11.4.1
Citrix SD-WAN Orchestrator for On-Premises versions before 13.2.1