CVE-2020-8300

Citrix ADC and Citrix/NetScaler Gateway before 13.0-82.41, 12.1-62.23, 11.1-65.20 and Citrix ADC 12.1-FIPS before 12.1-55.238 suffer from improper access control allowing SAML authentication hijack through a phishing attack to steal a valid user session. Note that Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP for this to be possible.

Published: Jun 16, 2021
Updated: Apr 14, 2023
CVE: CVE-2020-8300
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
citrix / netscaler_gateway	11.1	11.1-65.20
citrix / gateway	12.1	12.1-62.23
citrix / gateway	13.0	13.0-82.41
citrix / application_delivery_controller_firmware	11.1	11.1-65.20
citrix / application_delivery_controller_firmware	12.1	12.1-62.23
citrix / application_delivery_controller_firmware	13.0	13.0-82.41
citrix / application_delivery_controller_firmware	12.1	12.1-55.238

https://support.citrix.com/article/CTX297155

Vulnerability Database

289,689

CVE-2020-8300