CVE-2023-3466: 
Citrix ADC VPX vulnerability analysis and mitigation

CVE-2023-3466 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. The vulnerability was discovered in June 2023 and officially disclosed on July 19, 2023. The affected versions include NetScaler ADC and Gateway 13.1 before 13.1-49.13, 13.0 before 13.0-91.13, version 12.1 (end of life), ADC 13.1-FIPS before 13.1-37.159, ADC 12.1-FIPS before 12.1-55.297, and ADC 12.1-NDcPP before 12.1-55.297 (NVD).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 6.1 (MEDIUM) according to NVD, while Citrix Systems rates it with a CVSS score of 8.3 (HIGH). For exploitation, the affected appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server (NVD).

The vulnerability allows attackers to perform Cross-site Scripting attacks, potentially leading to unauthorized access to sensitive information and manipulation of web content presented to users. The vulnerability affects both confidentiality and integrity of the system, though availability is not impacted (NVD).

Citrix has released patches to address this vulnerability. Organizations are advised to upgrade to the latest versions: NetScaler ADC and Gateway 13.1-49.13 or later, 13.0-91.13 or later, ADC 13.1-FIPS 13.1-37.159 or later, and ADC 12.1-FIPS/NDcPP 12.1-55.297 or later (Citrix Advisory).