CVE-2020-9390 - Stored cross-site scripting
Cross-site scripting (XSS) enable attackers to bring malicious content into a website or application.
Before SquaredUp version 4.6, stored XSS was possible for Web Content and Visio tiles. Exploiting this vulnerability was possible for SquaredUp users who can create dashboards.
Users could also create a dashboard with a Visio tile that uses an SVG with malicious script to execute in a user's session.
What should you do?
If you are using a SquaredUp version earlier than 4.6, update to version 4.6 or later.
Affected and resolved software versions
|Product||Affected versions||Resolved versions|
|SquaredUp for SCOM||Versions earlier than 4.6||4.6 and later versions|
|SquaredUp for Azure||Versions earlier than 4.6||4.6 and later versions|
SquaredUp would like to thank Giuseppe-Diego Gianni from NATO for reporting this vulnerability.
Did you notice a vulnerability or need further help?
Please contact our support team if you have any questions about this vulnerability or need further help: firstname.lastname@example.org
If you believe you've found a different security vulnerability in one of our products please report it by emailing our support team so we can work on fixing it: email@example.com
Revision history of this article