CVE-2020-13409
Last modified
CVE-2020-13409 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in, the value is reflected back to the user, but is also stored within the DB and can be later triggered again by the same victim, or also later by different users). Both stored, and reflected payloads are triggerable by admin, so malicious non-authenticated user could get admin level access. EPSS estimates a 0.44% chance of exploitation in the next 30 days.
Description
Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in, the value is reflected back to the user, but is also stored within the DB and can be later triggered again by the same victim, or also later by different users). Both stored, and reflected payloads are triggerable by admin, so malicious non-authenticated user could get admin level access. Even malicious low-privileged user can inject XSS, which can be executed by admin, potentially elevating privileges and obtaining admin access. (issue 3 of 3)
Metrics
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Tufin | Securetrack | < r20-2 |
References
- https://github.com/Accenture/AARO-Bugs/blob/master/AARO-CVE-List.mdThird Party Advisory
- https://github.com/Accenture/AARO-Bugs/blob/master/AARO-CVE-List.mdThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-13409?
How severe is CVE-2020-13409?
How do I fix CVE-2020-13409?
Are you affected by CVE-2020-13409?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST