PR
CVE-2021-22941 - Citrix ShareFile Broken Access Control
projectdiscovery/nuclei-templates#14185
/claim #14092
CVE-2021-22941 - Citrix ShareFile Storage Zones Controller
Summary
- CVE ID: CVE-2021-22941
- Severity: Critical (CVSS 9.8)
- Affected: Citrix ShareFile Storage Zones Controller < 5.11.20
- Impact: Unauthenticated Remote Code Execution
Vulnerability
Broken access control allows unauthenticated attackers to access Upload.aspx endpoint. Combined with path traversal in uploadid parameter, enables arbitrary file write leading to RCE.
Template Features
✅ Tests 3 vulnerable endpoint paths for maximum coverage
✅ Validates IIS/ASP.NET headers and response patterns
✅ Extracts LocalFile GUID for confirmation
✅ Comprehensive false positive prevention
Real-World Impact
Exploited by PROPHET SPIDER in early 2022 to deploy webshells and gain RCE access.
Testing Environment & Debug Data
# Template successfully tested and validated - All 3 endpoint paths tested
# === PATH 1: /ShareFile/StorageCenter/Upload.aspx ===
GET /ShareFile/StorageCenter/Upload.aspx?uploadid=36HS4QZDqJbp9kPQ1jghwcXmKwg&bp=1&multipart=false HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
HTTP/1.0 200 OK
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
X-Aspnet-Version: 4.0.30319
Content-Type: text/plain
LocalFile: 796c4a37-7321-429d-90af-183d5f3f4486
Chunk: 0
Finished: True
UploadId: 36HS4QZDqJbp9kPQ1jghwcXmKwg
# === PATH 2: /StorageCenter/Upload.aspx ===
✅ LocalFile extracted: d0ba6081-a71a-4688-b844-a2e0a894b528
✅ All IIS/ASP.NET headers validated
# === PATH 3: /upload.aspx ===
✅ LocalFile extracted: 46dea3d5-ed70-4892-9535-59dbc7db9c3c
✅ All IIS/ASP.NET headers validated
# === MATCHER VALIDATION ===
[CVE-2021-22941:localfile-check] ✅ LocalFile pattern matched
[CVE-2021-22941:metadata-check] ✅ Chunk/Finished/UploadId matched
[CVE-2021-22941:success-status] ✅ Status 200 matched
[CVE-2021-22941:server-headers] ✅ ASP.NET/IIS headers matched
[CVE-2021-22941:localfile-guid] ✅ GUID extracted: 796c4a37-7321-429d-90af-183d5f3f4486
# Scan completed in 10.104542ms. 4 matches found.
nuclei -t http/cves/2021/CVE-2021-22941.yaml -u http://localhost:8888 -debug
References
- Citrix Advisory CTX328123
- CrowdStrike PROPHET SPIDER analysis
- CISA KEV catalog
Fixes #14092
Claim
Total prize pool
$100
Total paid
$0
Status
Pending
Submitted
December 02, 2025
Last updated
December 02, 2025
Contributors
GR
Green Hacker
@GreenHacker420
Sponsors
PR
ProjectDiscovery
@projectdiscovery
$100