CVE-2019-13608: 
Citrix StoreFront vulnerability analysis and mitigation

Citrix StoreFront Server before version 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) contains an XML External Entity (XXE) processing vulnerability that could allow unauthorized access to sensitive information (NVD, CVE). The vulnerability was discovered in 2019 and has been added to CISA's Known Exploited Vulnerabilities Catalog.

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability can be exploited over the network with low attack complexity, requires no privileges or user interaction, and can result in high confidentiality impact (NVD). The vulnerability is classified as CWE-611: Improper Restriction of XML External Entity Reference.

The XXE vulnerability could allow an unauthenticated attacker to access sensitive information from the affected Citrix StoreFront Server systems. The high confidentiality impact rating suggests that the vulnerability could lead to significant data exposure (NVD).

Organizations should upgrade to Citrix StoreFront Server version 1903 or later, 7.15 LTSR CU4 (3.12.4000) or later, or 7.6 LTSR CU8 (3.0.8000) or later, depending on their current version. CISA has mandated federal agencies to apply vendor updates according to their Known Exploited Vulnerabilities Catalog guidance (CISA).