CVE-2020-9390 - Stored cross-site scripting (Web Content and Visio tile)
CVE: CVE-2020-9390
Description
Cross-site scripting (XSS) enable attackers to bring malicious content into a website or application.
Before SquaredUp DS version 4.6, stored XSS was possible for Web Content
Users could create a dashboard with a Web Content tile that embeds an iframe pointing to malicious JavaScript. For example, it was possible to point to a page that emulates session timeout and asks for credentials when a user views the dashboard.
Users could also create a dashboard with a Visio tile that uses an SVG with malicious script to execute in a user's session. Whenever a user would view a dashboard with the malicious content, the JavaScript would be executed in the context of their browser.
Fix
JavaScript is now blocked from iframes in Web Content tiles.
A purifier for SVG images has been implemented to ensure the image is free from malicious scripts.
What should you do?
If you are using a SquaredUp DS version earlier than 4.6, update to version 4.6 or later.
Affected and resolved software versions
Product | Affected versions | Resolved versions |
SquaredUp DS for SCOM | Versions earlier than 4.6 | 4.6 and later versions |
SquaredUp DS for Azure | Versions earlier than 4.6 | 4.6 and later versions |
Acknowledgement
SquaredUp would like to thank Giuseppe-Diego Gianni from NATO for reporting this vulnerability.
Did you notice a vulnerability or need further help?
Please contact SquaredUp Support if you have any questions about this vulnerability or need further help.
If you believe you've found a different security vulnerability in one of our products please report it by emailing our support team so we can work on fixing it: security@squaredup.com
Revision history of this article
3.2.2021 | Initial release |
10.6.2021 | Updated support contact information |
8.11. 2021 | Updated title |
Comments
0 comments
Please sign in to leave a comment.