CVE-2020-13260

Sažetak

A vulnerability in the web-based management interface of RAD SecFlow-1v through 2020-05-21 could allow an authenticated attacker to upload a JavaScript file, with a stored XSS payload, that will remain stored in the system as an OVPN file in Configuration-Services-Security-OpenVPN-Config or as the static key file in Configuration-Services-Security-OpenVPN-Static Keys. This payload will execute each time a user opens an affected web page. This could be exploited in conjunction with CVE-2020-13259.

Reference

https://www.rad.com/products/secflow-1v-IIoT-Gateway#panels-ipe-paneid-143837
https://cxsecurity.com/issue/WLB-2020090063
https://www.exploit-db.com/exploits/48807

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

21-07-2021 - 11:39

Objavljeno

17-09-2020 - 20:15