cbcvebase.
CVE-2020-13259
published 2020-09-16

CVE-2020-13259: A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2.3.01.26 could allow an unauthenticated, remote attacker to conduct a…

PriorityP263high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
4.66%
90.6th percentile
A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2.3.01.26 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. This could be exploited in conjunction with CVE-2020-13260.

Affected

1 ranges
VendorProductVersion rangeFixed in
radsecflow-1v_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/UrielYochpaz/CVE-2020-13259
  • Monitor file uploads to the OpenVPN configuration page path (Configuration-Services-Security-OpenVPN-Config) for files containing JavaScript/script tags, which may indicate a stored XSS payload being planted via OVPN file upload.
  • Detect CSRF exploitation attempts against the RAD SecFlow-1v web management interface by monitoring for cross-origin POST requests targeting device management actions (file uploads, reboots, factory reset) without CSRF tokens, particularly from unauthenticated or external origins.
  • Alert on chained exploitation pattern: CSRF (CVE-2020-13259) used to upload a file to a stored-XSS-vulnerable page on SecFlow-1v, enabling full account takeover. Look for automated file upload requests immediately following navigation to an external/attacker-controlled page.
  • ·Vulnerability confirmed on a specific firmware version; devices on patched firmware (post Aug 25, 2020) are not affected. Verify device firmware version before applying detections.
  • ·CVE-2020-13259 (CSRF) requires an authenticated user to be socially engineered into visiting a malicious link; exploitation is not fully unauthenticated end-to-end without user interaction.
  • ·The stored XSS payload only executes when a user browses the compromised page after upload; detection must cover both the upload event and subsequent page-load execution.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.