Vulnerability Details CVE-2020-13260
A vulnerability in the web-based management interface of RAD SecFlow-1v through 2020-05-21 could allow an authenticated attacker to upload a JavaScript file, with a stored XSS payload, that will remain stored in the system as an OVPN file in Configuration-Services-Security-OpenVPN-Config or as the static key file in Configuration-Services-Security-OpenVPN-Static Keys. This payload will execute each time a user opens an affected web page. This could be exploited in conjunction with CVE-2020-13259.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.007
EPSS Ranking 71.3%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- https://cxsecurity.com/issue/WLB-2020090063
- https://www.exploit-db.com/exploits/48807
- https://www.rad.com/products/secflow-1v-IIoT-Gateway#panels-ipe-paneid-143837
- https://cxsecurity.com/issue/WLB-2020090063
- https://www.exploit-db.com/exploits/48807
- https://www.rad.com/products/secflow-1v-IIoT-Gateway#panels-ipe-paneid-143837
Products affected by CVE-2020-13260
-
cpe:2.3:h:rad:secflow-1v:-
-
cpe:2.3:o:rad:secflow-1v_firmware:os-image_sf_0290_2.3.01.26