# Exploit Title: RAD SecFlow-1v web-based management interface - Persistent Cross-Site Scripting (Stored-XSS)
# Date: 31.08.2020
# Exploit Author: Jonatan Schor and Uriel Yochpaz
# Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway
# Version: SecFlow-1v os-image SF_0290_2.3.01.26
# Tested on: RAD SecFlow-1v
# CVE : CVE-2020-13260
A Stored-XSS vulnerability was found in multiple pages in the web-based management interface of RAD SecFlow-1v.
An attacker could exploit this vulnerability by uploading a malicious file as the OVPN file in Configuration-Services-Security-OpenVPN-Config or as the static key file in Configuration-Services-Security-OpenVPN-Static Keys.
These files content is presented to users while executing malicious stored JavaScript code.
This could be exploited in conjunction with CVE-2020-13259
# Proof of Concept
Upload a file containing the following JS code:
<img src=x onerror=alert(1)>
Refresh the page and observe the malicious JS code execute every time you browse the compromised page.
# Full Account Takeover
As mentioned above, this exploit could be used in conjunction with CVE-2020-13259 (CSRF), by using the CSRF exploit to upload a malicious file to a Stored-XSS vulnerabale page, which could allow Full Account Takeover.
For further information and full PoC: https://github.com/UrielYochpaz/CVE-2020-13259
# Timeline
May 19th, 2020 - Vulnerability exposed.
May 19th, 2020 – Vulnerability reported to RAD.
May 21th, 2020 – Vulnerability reported to MITRE.
May 21th, 2020 – MITRE assigned CVE: CVE-2020-13260.
May 22th, 2020 – Contacted RAD for further details and cooperation.
Aug 25th, 2020 – RAD patched the vulnerability.