CVE-2020-13260

Name of the Vulnerable Software and Affected Versions RAD SecFlow-1v versions through 2020-05-21

Description A stored XSS issue exists in the web-based management interface, allowing an authenticated attacker to upload a JavaScript file with a malicious payload. This payload remains stored in the system as an OVPN file in Configuration-Services-Security-OpenVPN-Config or as the static key file in Configuration-Services-Security-OpenVPN-Static Keys. The payload executes each time a user opens an affected web page.

Recommendations For RAD SecFlow-1v versions through 2020-05-21, consider restricting access to the web-based management interface until a fix is available. As a temporary workaround, avoid using the Configuration-Services-Security-OpenVPN-Config and Configuration-Services-Security-OpenVPN-Static Keys sections to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.