CVE-2018-18571

CRITICAL

Citrix XenMobile Server 10.8.0-10.9.0 - Incorrect Access Control

Title source: llm
STIX 2.1

Description

An Incorrect Access Control vulnerability has been identified in Citrix XenMobile Server 10.8.0 before Rolling Patch 6 and 10.9.0 before Rolling Patch 3. An attacker can impersonate and take actions on behalf of any Mobile Application Management (MAM) enrolled device.

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/108081
Vendor Advisory x_refsource_confirm
https://support.citrix.com/article/CTX247736

Scores

CVSS v3 9.1
EPSS 0.0034
EPSS Percentile 56.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-287
Status published
Products (2)
citrix/xenmobile_server 10.8.0 (6 CPE variants)
citrix/xenmobile_server 10.9.0 (3 CPE variants)
Published Jun 05, 2019
Tracked Since Feb 18, 2026