CVE-2021-40093 - Stored cross-site scripting (Action Buttons)
Cross-site scripting (XSS) enable attackers to bring malicious content into a website or application.
Before Dashboard Server version 5.3.1, stored XSS was possible for action buttons. Exploiting this vulnerability was possible for Dashboard Server users who can create dashboards.
A purifier for action buttons has been implemented to ensure the action is free from malicious scripts.
What should you do?
If you are using a Dashboard Server version earlier than 5.3.1, update to version 5.3.1 or later.
Affected and resolved software versions
|Product||Affected versions||Resolved versions|
|SCOM Edition||Versions earlier than 5.3.1||5.3.1 and later versions|
|Azure Edition||Versions earlier than 5.3.1||5.3.1 and later versions|
|Community Edition||Versions earlier than 5.3.1||5.3.1 and later versions|
SquaredUp would like to thank Kajetan Rostojek from ING Tech Poland for reporting this vulnerability.
Did you notice a vulnerability or need further help?
Please contact SquaredUp Support if you have any questions about this vulnerability or need further help.
If you believe you've found a different security vulnerability in one of our products please report it by emailing our support team so we can work on fixing it: firstname.lastname@example.org
Revision history of this article