CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:C/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
31.3%
Vulnerabilities have been discovered in multiple Citrix SD-WAN products. These vulnerabilities, if exploited, could result in the following security issues:
CVE-ID | Description | CWE | Affected Products | Pre-conditions |
---|---|---|---|---|
CVE-2022-27505 | Reflected cross site scripting(XSS) | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Citrix SD-WAN Standard/Premium Edition Appliance | Victim user must have a current session on the vulnerable device. |
CVE-2022-27506 | Hard-coded credentials allow administrators toaccess the shell via the SD-WAN CLI | CWE-798: Use of Hard-coded Credentials | Citrix SD-WAN Center Management Console, Citrix SD-WAN Standard/Premium Edition Appliance, and Citrix SD-WAN Orchestrator for On-Premises | Admin access to SD-WAN CLI |
The following supported versions of Citrix SD-WAN are affected by the vulnerabilities
Citrix SD-WAN Standard/Premium Edition Appliance before 11.4.3a
Citrix SD-WAN Center Management Console versions before 11.4.3
Citrix SD-WAN Standard/Premium Edition Appliance versions before 11.4.1
Citrix SD-WAN Orchestrator for On-Premises versions before 13.2.1
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:C/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
31.3%