Citrix CloudPortal Services Manager Multiple Security Updates

  • CTX137162
  • Created On  Sep 03, 2013
  • Updated On  Nov 01, 2013
  • Security Bulletin

Severity: Critical

Description of Problem

A number of vulnerabilities have been identified in Citrix CloudPortal Services Manager. These vulnerabilities affect all versions of Citrix CloudPortal Services Manager, formerly known as Cortex, up to and including version 10.0 with limited release Cumulative Update 2 applied.

These vulnerabilities have been assigned the following CVE numbers:

    • CVE-2013-2933: Impersonation vulnerability could allow unauthorised impersonation of other users

    • CVE-2013-2934: Authentication bypass vulnerability could allow unauthenticated users access to URLs hosted in the CortexServices site

    • CVE-2013-2935: Cross-site scripting vulnerability in the “Recorded Errors” view

    • CVE-2013-2936: Information disclosure vulnerability could allow unauthenticated enumeration of authenticated users

    • CVE-2013-2937: Information disclosure vulnerability via ASP.NET stack traces in error messages

    • CVE-2013-2938: Information disclosure vulnerability via the X-AspNet-Version and X-Powered-By HTTP headers

    • CVE-2013-2939: Privilege escalation vulnerability could allow a privileged user to insert malicious HTML content

    • CVE-2013-2940: Authentication bypass vulnerability in CAPTCHAs

What Customers Should Do

These vulnerabilities have been addressed in Cumulative Update 3 for Citrix CloudPortal Services Manager 10.0. Citrix strongly recommends that customers apply either Cumulative Update 3 or Cumulative Update 4 to their Citrix CloudPortal Services Manager 10.0 deployment as soon as possible.

Customers using Citrix CloudPortal Services Manager 11.0 are not affected by these vulnerabilities.

Cumulative Update 4 for Citrix CloudPortal Services Manager version 10.0 can be obtained from the following location:

CTX138612 – CloudPortal Services Manager Cumulative Update 4 - For CloudPortal Services Manager 10.0

Customers wishing to obtain Cumulative Update 3 should contact their Citrix Support representative.

In addition to the application of Cumulative Update 3 or Cumulative Update 4, Citrix strongly recommends that customers review the documents below to resolve the following issues:

Customers using versions of Citrix CloudPortal Services Manager earlier than version 10.0 must upgrade in order to remediate these issues.

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contract details for Citrix Technical Support are available through your distributor.

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. If you would like to report a security issue to Citrix, please compose an e-mail to stating the exact version of the product in which the vulnerability was found and the steps needed to reproduce the vulnerability.

Share your comments or find out more about this topic

Citrix Forums



Was this helpful?

Thank you for your feedback!

| Terms of Use | Privacy | Governance