User Enumeration Vulnerability in Citrix XenApp by Citrix
CVE-2020-13998

5.3MEDIUM

Key Information:

Vendor: Citrix
Status: Xenapp
Vendor: CVE Published:; 11 June 2020

Summary

A vulnerability in Citrix XenApp 6.5 allows remote unauthenticated attackers to determine whether a user exists on the server when two-factor authentication (2FA) is enabled. This occurs due to the behavior of the 2FA error page, which is displayed only after a valid username is entered. As a result, attackers can exploit this mechanism to enumerate valid user accounts, posing a significant security risk. Note that this vulnerability affects products that are no longer maintained by Citrix.

References

https://gist.github.com/kampji/11e259d68ad98a6f0f898132f1...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 11, 2020
Vulnerability Reserved
Jun 9, 2020