CVE-2018-18406

Name of the Vulnerable Software and Affected Versions Tufin SecureTrack version 18.1 with TufinOS 2.16 build 1179(Final)

Description A blind XXE vulnerability was discovered in the Audit Report module. This issue occurs when a new Best Practices Report is saved using a special payload inside the xml input field. The vulnerability is considered blind because the response does not directly display the requested file, but instead returns it inside the name data field when the report is saved. As a result, an attacker can view restricted operating system files. This issue affects all types of users, including administrators and normal users.

Recommendations For Tufin SecureTrack version 18.1 with TufinOS 2.16 build 1179(Final), consider disabling the Audit Report module or restricting access to it until a patch is available. Avoid using the xml input field in the affected module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.