CVE-2020-9388 - API Endpoints are not protected against CSRF
CVE: CVE-2020-9388
Description
Cross-Site Request Forgery (CSRF) is an attack that enables a malicious actor to execute unwanted actions. Before Dashboard Server version 4.6, CSRF protection was not present for API endpoints.
This could be exploited by sending a Dashboard Server user a link to a malicious site or implementing a forged request in a Dashboard Server dashboard. When the malicious page is opened by the user, the request would be made to the Dashboard Server API using the victim's session. For example, the malicious HTML code could make a successful request to add or remove users from the Named User list or upload a malicious SVG image (see CVE-2020-9390 - Stored cross-site scripting (Web Content and Visio tile)).
Fix
Since Dashboard Server version 4.6, this vulnerability has been fixed. All requests are now validated using an appropriate token.
What should you do?
If you are using a Dashboard Server version earlier than 4.6, update to version 4.6 or later.
Affected and resolved software versions
Product | Affected versions | Resolved versions |
SCOM Edition | Versions earlier than 4.6 | 4.6 and later versions |
Azure Edition | Versions earlier than 4.6 | 4.6 and later versions |
Acknowledgement
SquaredUp would like to thank Giuseppe-Diego Gianni from NATO for reporting this vulnerability.
Did you notice a vulnerability or need further help?
Please contact SquaredUp Support if you have any questions about this vulnerability or need further help.
If you believe you've found a different security vulnerability in one of our products please report it by emailing our support team so we can work on fixing it: security@squaredup.com
Revision history of this article
3.2.2021 | Initial release |
10.6.2021 | Updated support contact information |