QID 730077

Citrix ShareFile is a secure file sharing and transfer service.

CVE-2021-22891 : Improper Access Control security issue has been identified in the Citrix ShareFile storage zones controller.

Affected Versions:
Storage zones created using the following versions of the storage zones controller are affected:
ShareFile StorageZones Controller 5.7 before 5.7.3
ShareFile StorageZones Controller 5.8 before 5.8.3
ShareFile StorageZones Controller 5.9 before 5.9.3
ShareFile StorageZones Controller 5.10 before 5.10.1
ShareFile StorageZones Controller 5.11 before 5.11.18

NOTE : Customers using Citrix-managed storage zones in the cloud are not affected by this issue.

QID Detection Logic (Authenticated):
This QID detects vulnerable versions by fetching bin\StorageCenter.dll file versions from the HKLM\SOFTWARE\Citrix\StorageCenter\InstallDir registry
QID Detection Logic (Unauthenticated):
The unauthenticated detection checks unauthenticated access to UploadTest.aspx resource in /, /storage/, /store/, /sharefile/ directories.

Successful exploitation of this vulnerability allows an unauthenticated, remote attacker to compromise the storage zones controller allowing unauthorized access to sensitive information such as users documents and folders.