Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

RAD SecFlow-1v SF_0290_2.3.01.26 - Persistent Cross-Site Scripting

 Share


Recommended Posts

# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Persistent Cross-Site Scripting
# Date: 2020-08-31
# Exploit Author: Jonatan Schor and Uriel Yochpaz
# Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway
# Version: SecFlow-1v os-image SF_0290_2.3.01.26
# Tested on: RAD SecFlow-1v
# CVE : N/A

A Stored-XSS vulnerability was found in multiple pages in the web-based
management interface of RAD SecFlow-1v.
An attacker could exploit this vulnerability by uploading a malicious file
as the OVPN file in Configuration-Services-Security-OpenVPN-Config or as
the static key file in Configuration-Services-Security-OpenVPN-Static Keys.
These files content is presented to users while executing malicious stored
JavaScript code.
This could be exploited in conjunction with CVE-2020-13259

# Proof of Concept
Upload a file containing the following JS code:
<img src=x onerror=alert(1)>
Refresh the page and observe the malicious JS code execute every time you
browse the compromised page.

# Full Account Takeover
As mentioned above, this exploit could be used in conjunction with
CVE-2020-13259 (CSRF), by using the CSRF exploit to upload a malicious file
to a Stored-XSS vulnerabale page, which could allow Full Account Takeover.
For further information and full PoC:
https://github.com/UrielYochpaz/CVE-2020-13259

# Timeline
May 19th, 2020 - Vulnerability exposed.
May 19th, 2020 – Vulnerability reported to RAD.
May 21th, 2020 – Vulnerability reported to MITRE.
May 21th, 2020 – MITRE assigned CVE: CVE-2020-13260.
May 22th, 2020 – Contacted RAD for further details and cooperation.
Aug 25th, 2020 – RAD patched the vulnerability.
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...