CVE-2020-13407

Name of the Vulnerable Software and Affected Versions Tufin SecureTrack versions prior to R20-2 GA

Description The issue concerns reflected and stored XSS, where the value is not only reflected back to the user but also stored within the database. This stored payload can be triggered again by the same victim or by different users later. Both stored and reflected payloads can be triggered by an admin, allowing a malicious non-authenticated user to potentially gain admin-level access. Additionally, a malicious low-privileged user can inject XSS, which can be executed by an admin, potentially elevating privileges and obtaining admin access.

Recommendations For versions prior to R20-2 GA, update to R20-2 GA or later to resolve the issue. As a temporary workaround, consider restricting access to areas where XSS can be injected to minimize the risk of exploitation. Avoid using the application with admin privileges until the issue is resolved.