CVE-2020-13409

Name of the Vulnerable Software and Affected Versions Tufin SecureTrack versions prior to R20-2 GA

Description The issue concerns reflected and stored Cross-Site Scripting (XSS) in Tufin SecureTrack. This allows a malicious non-authenticated user to potentially gain admin-level access. Both stored and reflected payloads can be triggered by an admin, and even a low-privileged user can inject XSS, which can be executed by an admin, potentially elevating privileges and obtaining admin access.

Recommendations For versions prior to R20-2 GA, update to R20-2 GA or later to resolve the issue. As a temporary workaround, consider restricting access to areas where XSS can be injected to minimize the risk of exploitation. Avoid using the application with admin privileges until the issue is resolved.