CVE-2020-9390 - Stored cross-site scripting (Web Content tile)

CVE: CVE-2020-9390

Description

Cross-site scripting (XSS) enable attackers to bring malicious content into a website or application.

Before SquaredUp DS version 4.6, stored XSS was possible for Web Content tiles. Exploiting this vulnerability was possible for SquaredUp DS users who can create dashboards.

Users could create a dashboard with a Web Content tile that embeds an iframe pointing to malicious JavaScript. For example, it was possible to point to a page that emulates session timeout and asks for credentials when a user views the dashboard.

Fix

JavaScript is now blocked from iframes in Web Content tiles.

What should you do?

If you are using a SquaredUp DS version earlier than 4.6, update to version 4.6 or later.

Affected and resolved software versions

Product
Affected versions
Resolved versions
SquaredUp DS for SCOM
Versions earlier than 4.6
4.6 and later versions
SquaredUp DS for Azure
Versions earlier than 4.6
4.6 and later versions

Acknowledgement

SquaredUp would like to thank Giuseppe-Diego Gianni from NATO for reporting this vulnerability.

Did you notice a vulnerability or need further help?

Please contact SquaredUp Support

If you believe you've found a different security vulnerability in one of our products please report it by emailing our support team so we can work on fixing it: [email protected]

Revision history of this article

3.2.2021
Initial release
10.6.2021
Updated support contact information
8.11. 2021
Updated title

Was this article helpful?

Have more questions or facing an issue?
Submit a ticket