CVE-2021-40093 - Stored cross-site scripting (Action Buttons)

CVE:CVE-2021-40093

Description

Cross-site scripting (XSS) enable attackers to bring malicious content into a website or application.

Before SquaredUp DS version 5.3.1, stored XSS was possible for action buttons. Exploiting this vulnerability was possible for SquaredUp DS users who can create dashboards.

Fix

A purifier for action buttons has been implemented to ensure the action is free from malicious scripts.

What should you do?

If you are using a SquaredUp DS version earlier than 5.3.1, update to version 5.3.1 or later.

Affected and resolved software versions

Product	Affected versions	Resolved versions
SquaredUp DS for SCOM	Versions earlier than 5.3.1	5.3.1 and later versions
SquaredUp DS for Azure	Versions earlier than 5.3.1	5.3.1 and later versions
SquaredUp DS Standalone	Versions earlier than 5.3.1	5.3.1 and later versions

Acknowledgement

SquaredUp would like to thank Kajetan Rostojek from ING Tech Poland for reporting this vulnerability.

Did you notice a vulnerability or need further help?

Please contact SquaredUp Support if you have any questions about this vulnerability or need further help.

If you believe you've found a different security vulnerability in one of our products please report it by emailing our support team so we can work on fixing it: security@squaredup.com

Revision history of this article

10.11.2021

Initial release

DS SCOM LIVE KB.10.log-1572047242.zip
10 KB Download