Vigil@nce - Citrix XenDesktop: policy bypass after an upgrade
November 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the Citrix XenDesktop product was upgraded from version 5.x
to 7.0, an attacker can bypass the security policy previously
defined by the administrator.
Impacted products: XenDesktop
Severity: 2/4
Creation date: 23/10/2013
DESCRIPTION OF THE VULNERABILITY
The Citrix XenDesktop product uses security policy rules, which
have permissions.
However, after an upgrade from version 5.x to 7.0, permissions are
not correctly updated.
When the Citrix XenDesktop product was upgraded from version 5.x
to 7.0, an attacker can therefore bypass the security policy
previously defined by the administrator.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Citrix-XenDesktop-policy-bypass-after-an-upgrade-13633