# Exploit Title: RAD SecFlow-1v web-based management interface - Persistent Cross-Site Scripting (Stored-XSS) # Date: 31.08.2020 # Exploit Author: Jonatan Schor and Uriel Yochpaz # Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway # Version: SecFlow-1v os-image SF_0290_2.3.01.26 # Tested on: RAD SecFlow-1v # CVE : CVE-2020-13260 A Stored-XSS vulnerability was found in multiple pages in the web-based management interface of RAD SecFlow-1v. An attacker could exploit this vulnerability by uploading a malicious file as the OVPN file in Configuration-Services-Security-OpenVPN-Config or as the static key file in Configuration-Services-Security-OpenVPN-Static Keys. These files content is presented to users while executing malicious stored JavaScript code. This could be exploited in conjunction with CVE-2020-13259 # Proof of Concept Upload a file containing the following JS code: <img src=x onerror=alert(1)> Refresh the page and observe the malicious JS code execute every time you browse the compromised page. # Full Account Takeover As mentioned above, this exploit could be used in conjunction with CVE-2020-13259 (CSRF), by using the CSRF exploit to upload a malicious file to a Stored-XSS vulnerabale page, which could allow Full Account Takeover. For further information and full PoC: https://github.com/UrielYochpaz/CVE-2020-13259 # Timeline May 19th, 2020 - Vulnerability exposed. May 19th, 2020 – Vulnerability reported to RAD. May 21th, 2020 – Vulnerability reported to MITRE. May 21th, 2020 – MITRE assigned CVE: CVE-2020-13260. May 22th, 2020 – Contacted RAD for further details and cooperation. Aug 25th, 2020 – RAD patched the vulnerability.