Back

CVE 2019-7217: Citrix ShareFile User Enumeration


Summary:
It is possible to enumerate application username based on different server responses using the request to check the otp code. No authentication is required.

Tested Versions:
Citrix ShareFile through 19.1

Product URL:
https://www.sharefile.com/

Details:
It is possible to enumerate application username based on different server responses using the request to check the otp code. No authentication is required.

Request:

Response if username is not correct:
Response if username is correct:
Timeline:
22-01-2019 Vendor disclosure
05-02-2019 Acknoledge from vendor
02-05-2019 Public Release

Credit:
Discovered by Armando Huesca and Andrea Pessione of SKIT Cyber Security