CVE-2020-8983: 
Citrix ShareFile StorageZones Controller vulnerability analysis and mitigation

An arbitrary file write vulnerability (CVE-2020-8983) exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, affecting versions 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, and earlier versions. The vulnerability was disclosed in May 2020 and could allow unauthenticated attackers to compromise the storage zones controller, potentially giving them access to ShareFile users' documents and folders (Citrix Advisory, SecurityWeek).

The vulnerability affects customer-managed on-premises Citrix ShareFile storage zone controllers, a component that stores corporate data behind the firewall. Initial analysis revealed that at least one of the flaws resided in an outdated ASP.net Toolkit (AjaxControlToolkit) that Citrix ShareFile used, which contained directory traversal vulnerabilities. The vulnerability received a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (Hacker News).

If exploited, the vulnerability could allow an unauthenticated attacker to compromise the storage zones controller and gain access to ShareFile users' documents and folders. The impact is particularly critical as both remote code execution and file access could be granted to everything hosted by ShareFile, whether on-premise or inside Citrix Cloud itself (BleepingComputer).

Citrix addressed the vulnerability in Storage Zones Controller versions 5.10.0 and later, 5.9.1 and later, 5.8.1 and later, and 5.7.1 and later. Organizations with customer-managed storage zones were advised to run a mitigation tool released by Citrix on storage zones controllers managing each impacted storage zone. It's important to note that storage zones created using a vulnerable version remain at risk even after controller updates (SecurityWeek).

The vulnerability was discovered by the Danske Bank Red Team, consisting of security researchers Saulius Pranckevičius, Petras Skėrus, Mads Bograd, Alexander Staalgaard, and Jonas Hansen. The discovery was part of their continuous vulnerability hunting efforts in their vendor stack (LinkedIn Post).