CVE-2020-13134

Published: Jan 20, 2021Modified: Nov 21, 2024

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) admin users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1 are affected. Vulnerabilities were fixed in R19.3 HF3 and R20-1 HF1.

Affected (3)

Products: Tufin: Securechange

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Tufin Securechange	Before r19-3
Tufin Securechange	Version r19-3
Tufin Securechange	Version r20-1

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/Accenture/AARO-Bugs/blob/master/AARO-CVE-List.md

Source: cve@mitre.org

Third Party Advisory

https://portal.tufin.com/aspx/SecurityAdvisories

Source: cve@mitre.org

Permissions Required

https://github.com/Accenture/AARO-Bugs/blob/master/AARO-CVE-List.md

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://portal.tufin.com/aspx/SecurityAdvisories

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

Timeline

No history available yet.