CVE-2020-9390 - Stored cross-site scripting (Web Content and Visio tile)
CVE: CVE-2020-9390
Description
Cross-site scripting (XSS) enable attackers to bring malicious content into a website or application.
Before Dashboard Server version 4.6, stored XSS was possible for Web Content and Visio tiles. Exploiting this vulnerability was possible for Dashboard Server users who can create dashboards.
Users could create a dashboard with a Web Content tile that embeds an iframe pointing to malicious JavaScript. For example, it was possible to point to a page that emulates session timeout and asks for credentials when a user views the dashboard.
Users could also create a dashboard with a Visio tile that uses an SVG with malicious script to execute in a user's session. Whenever a user would view a dashboard with the malicious content, the JavaScript would be executed in the context of their browser.
Fix
JavaScript is now blocked from iframes in Web Content tiles. A purifier for SVG images has been implemented to ensure the image is free from malicious scripts.
What should you do?
If you are using a Dashboard Server version earlier than 4.6, update to version 4.6 or later.
Affected and resolved software versions
Product | Affected versions | Resolved versions |
SCOM Edition | Versions earlier than 4.6 | 4.6 and later versions |
Azure Edition | Versions earlier than 4.6 | 4.6 and later versions |
Acknowledgement
SquaredUp would like to thank Giuseppe-Diego Gianni from NATO for reporting this vulnerability.
Did you notice a vulnerability or need further help?
Please contact SquaredUp Support if you have any questions about this vulnerability or need further help.
If you believe you've found a different security vulnerability in one of our products please report it by emailing our support team so we can work on fixing it: security@squaredup.com
Revision history of this article
3.2.2021 | Initial release |
10.6.2021 | Updated support contact information |
8.11. 2021 | Updated title |