CVE-2023-6184: 
Citrix Virtual Delivery Agent (VDA) vulnerability analysis and mitigation

CVE-2023-6184 is a Cross-Site Scripting (XSS) vulnerability discovered in Citrix Session Recording. Initially reported in late 2023, this vulnerability was found to be more severe than initially assessed, as it actually allows for Remote Code Execution (RCE) through insecure .NET remoting configurations that enable insecure deserialization (Assetnote Research).

The vulnerability exists in the /SessionRecordingBroker endpoint of Citrix Session Recording, which exposes SOAP endpoints using System Runtime Remoting. The configuration includes typeFilterLevel="Full", which removes restrictions on the types of objects that can be passed. The vulnerability can be exploited through SOAP-formatted payloads, requiring specific conditions including POST or M-POST HTTP verbs and non-empty SOAPAction headers. The CVSS v3.1 base score is rated at 5.0 (MEDIUM) by Citrix, with a vector of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N, though NIST rates it higher at 7.2 (HIGH) (NVD).

When successfully exploited, this vulnerability allows attackers to achieve Remote Code Execution on the affected system. While initially classified as a Cross-Site Scripting vulnerability, security researchers demonstrated that it could lead to full system compromise through .NET deserialization attacks (Assetnote Research).

Citrix has released security updates to address this vulnerability. Organizations running affected versions of Citrix Session Recording should upgrade to the latest version that includes the security fixes (Citrix Advisory).