CVE-2020-13259
published 2020-09-16CVE-2020-13259: A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2.3.01.26 could allow an unauthenticated, remote attacker to conduct a…
PriorityP263high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
4.66%
90.6th percentile
A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2.3.01.26 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. This could be exploited in conjunction with CVE-2020-13260.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rad | secflow-1v_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor file uploads to the OpenVPN configuration page path (Configuration-Services-Security-OpenVPN-Config) for files containing JavaScript/script tags, which may indicate a stored XSS payload being planted via OVPN file upload. ↗
- →Detect CSRF exploitation attempts against the RAD SecFlow-1v web management interface by monitoring for cross-origin POST requests targeting device management actions (file uploads, reboots, factory reset) without CSRF tokens, particularly from unauthenticated or external origins. ↗
- →Alert on chained exploitation pattern: CSRF (CVE-2020-13259) used to upload a file to a stored-XSS-vulnerable page on SecFlow-1v, enabling full account takeover. Look for automated file upload requests immediately following navigation to an external/attacker-controlled page. ↗
- ·Vulnerability confirmed on a specific firmware version; devices on patched firmware (post Aug 25, 2020) are not affected. Verify device firmware version before applying detections. ↗
- ·CVE-2020-13259 (CSRF) requires an authenticated user to be socially engineered into visiting a malicious link; exploitation is not fully unauthenticated end-to-end without user interaction. ↗
- ·The stored XSS payload only executes when a user browses the compromised page after upload; detection must cover both the upload event and subsequent page-load execution. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-88vv-mqm2-ch6r: A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2
ghsa_unreviewed·2022-05-24·CVSS 6.1
CVE-2020-13259 [MEDIUM] GHSA-88vv-mqm2-ch6r: A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2
A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2.3.01.26 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. This could be exploited in conjunction with CVE-2020-13260.
GHSA
GHSA-hgrr-pqhr-c6c6: A vulnerability in the web-based management interface of RAD SecFlow-1v through 2020-05-21 could allow an authenticated attacker to upload a JavaScrip
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2020-13260 [HIGH] CWE-79 GHSA-hgrr-pqhr-c6c6: A vulnerability in the web-based management interface of RAD SecFlow-1v through 2020-05-21 could allow an authenticated attacker to upload a JavaScrip
A vulnerability in the web-based management interface of RAD SecFlow-1v through 2020-05-21 could allow an authenticated attacker to upload a JavaScript file, with a stored XSS payload, that will remain stored in the system as an OVPN file in Configuration-Services-Security-OpenVPN-Config or as the static key file in Configuration-Services-Security-OpenVPN-Static Keys. This payload will execute each time a user opens an affected web page. This could be exploited in conjunction with CVE-2020-13259.
No detection rules found.
Exploit-DB
RAD SecFlow-1v SF_0290_2.3.01.26 - Persistent Cross-Site Scripting
exploitdb·2020-09-14·CVSS 8.8
CVE-2020-13260 [HIGH] RAD SecFlow-1v SF_0290_2.3.01.26 - Persistent Cross-Site Scripting
RAD SecFlow-1v SF_0290_2.3.01.26 - Persistent Cross-Site Scripting
---
# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Persistent Cross-Site Scripting
# Date: 2020-08-31
# Exploit Author: Jonatan Schor and Uriel Yochpaz
# Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway
# Version: SecFlow-1v os-image SF_0290_2.3.01.26
# Tested on: RAD SecFlow-1v
# CVE : N/A
A Stored-XSS vulnerability was found in multiple pages in the web-based
management interface of RAD SecFlow-1v.
An attacker could exploit this vulnerability by uploading a malicious file
as the OVPN file in Configuration-Services-Security-OpenVPN-Config or as
the static key file in Configuration-Services-Security-OpenVPN-Static Keys.
These files content is presented to users while executing malicious stored
J
Exploit-DB
RAD SecFlow-1v SF_0290_2.3.01.26 - Cross-Site Request Forgery (Reboot)
exploitdb·2020-09-14·CVSS 8.8
CVE-2020-13259 [HIGH] RAD SecFlow-1v SF_0290_2.3.01.26 - Cross-Site Request Forgery (Reboot)
RAD SecFlow-1v SF_0290_2.3.01.26 - Cross-Site Request Forgery (Reboot)
---
# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Cross-Site Request Forgery (Reboot)
# Date: 2020-08-31
# Exploit Author: Uriel Yochpaz and Jonatan Schor
# Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway
# Version: SecFlow-1v os-image SF_0290_2.3.01.26
# Tested on: RAD SecFlow-1v
# CVE : N/A
A vulnerability in the web-based management interface of RAD SecFlow-1v
could allow an unauthenticated, remote attacker to conduct a cross-site
request forgery (CSRF) attack on an affected system.
The vulnerability is due to insufficient CSRF protections for the web UI on
an affected device.
An attacker could exploit this vulnerability by persuading a user of the
interface to follow a malicious link.
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We highlight vulnerabilities ranked medium severity and above that were newly published from May-July 2021 in order to raise awareness of their active exploits in the wild. We then draw conclusions about the most commonly exploited vulnerabilities we observed attackers using, as well as the severity, category and
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: May-July 2021
Yue Guan
Lei Xu
Published: September 17, 2021
Malware
Trend Reports
Vulnerabilities
Attack analysis
Exploit
Exploit in the wild
Network security trends
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We highlight vulnerabilities ranked medium sever
Bugzilla
CVE-2020-10686 keycloak: remove other users MFA devices
bugzilla·2020-03-18·CVSS 4.1
CVE-2020-10686 [MEDIUM] CVE-2020-10686 keycloak: remove other users MFA devices
CVE-2020-10686 keycloak: remove other users MFA devices
A community-only flaw was found where a malicious user can registers himself and then uses the remove devices form to post different credential ids with the hope of removing MFA devices for other users.
https://issues.jboss.org/browse/KEYCLOAK-13259
Discussion:
requesting CVE for this community-only flaw.
---
Acknowledgments:
Name: Oliver P (SCISYS – now part of CGI)
2020-09-16
Published