Xen Mobile contains a reflected cross-site scripting vulnerability


Last revised:

Xen Mobile can be tricked into displaying content of the attacker’s choosing. This could allow an attacker to take over the contents of a web page displayed to a user, enabling them to steal credentials or run arbitrary javascript on the user’s browser.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

The following request shows arbitrary content to a user:


This vulnerability could be used to display a fake login page, designed to look exactly like the legitimate one, but with modifications allowing us to steal user credentials.

Because it is possible to execute javascript, this vulnerability could also be used to redirect users to another location or to prompt them to install an application of an attacker’s choosing on their mobile device via Xen Mobile’s designed functionality.

Advisory timeline

2018-03-28 – Reported to Citrix and acknowledged immediately

2018-05-21 – Issue reported fixed


Mitigation/further actions

  1. Remove public access to this service by moving it inside your network and configuring mobile devices to access it via a VPN or proxy that requires authentication
  2. Install an update rectifying this issue as soon as one is available