CVE-2019-13608

CVE Published	2019-08-29
Related CWE(s)	CWE-611: Improper Restriction of XML External Entity Reference
Related Vendor(s)	citrix
Related Product(s)	storefront_server
Exploitation Reported (CISA KEV)	2021-11-03
CVSS 3 Base Score	7.5 (HIGH)
CVSS 3 Attack Complexity	LOW
CVSS 3 Attack Vector	NETWORK

Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.

Cyber Threat Graph Context

Explore how this CVE relates to the wider threat graph

Associated CAPEC Patterns

Data Serialization External Entities Blowup (CAPEC-221)

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.

References

CVE.org

View more information about CVE-2019-13608 on the official MITRE CVE website.

NIST National Vulnerability Database

CVE-2019-13608 on the NIST NVD.

CISA Known Exploited Vulnerabilities