A Cross-Site Scripting (XSS) vulnerability has been identified in XenMobile Server 10.x.
This vulnerability could potentially be used to execute malicious client-side script in the same context as legitimate content from the web server; if this vulnerability is used to execute script in the browser of an authenticated administrator then the script may be able to gain access to the administrator’s session or other potentially sensitive information.
This vulnerability has been assigned the following CVE number:
- CVE-2016-2789: Persistent Cross-Site Scripting vulnerability in Citrix XenMobile Server 10.x
This vulnerability affects the following versions of Citrix XenMobile Server:
- All versions of Citrix XenMobile Server 10.0
- Citrix XenMobile Server 10.1 earlier than Rolling Patch 4
- Citrix XenMobile Server 10.3 earlier than Rolling Patch 1
This vulnerability is not present in Citrix XenMobile Device Manager server 9.0 or earlier, formerly known as Zenprise Device Manager server.