CVE-2020-13134

Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) admin users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1 are affected. Vulnerabilities were fixed in R19.3 HF3 and R20-1 HF1.

Published: Jan 20, 2021
Updated: Apr 13, 2023
CVE: CVE-2020-13134
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.8
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
tufin / securechange	r20-1	r20-1.x
tufin / securechange	r19-3	r19-3.x
tufin / securechange	-	r19-3

https://github.com/Accenture/AARO-Bugs/blob/master/AARO-CVE-List.md
https://portal.tufin.com/aspx/SecurityAdvisories

Vulnerability Database

289,871

CVE-2020-13134