CVE-2021-40096 - Stored cross-site scripting (provider configuration)
CVE:CVE-2021-40096
Description
Cross-site scripting (XSS) enable attackers to bring malicious content into a website or application.
Before Dashboard Server version 5.3.1, stored XSS was possible when creating an Azure Active Directory, Azure App Insights, or Azure Log Analytics provider. This vulnerability allows remote attackers to inject arbitrary web script or HTML.
What should you do?
If you are using a Dashboard Server version earlier than 5.3.1, update to version 5.3.1 or later.
Affected and resolved software versions
Product | Affected versions | Resolved versions |
SCOMÂ Edition | Versions earlier than 5.3.1 | 5.3.1 and later versions |
Azure Edition | Versions earlier than 5.3.1 | 5.3.1 and later versions |
Community Edition | Versions earlier than 5.3.1 | 5.3.1 and later versions |
Acknowledgement
SquaredUp would like to thank Kajetan Rostojek from ING Tech Poland for reporting this vulnerability.
Did you notice a vulnerability or need further help?
Please contact SquaredUp Support if you have any questions about this vulnerability or need further help.
If you believe you've found a different security vulnerability in one of our products please report it by emailing our support team so we can work on fixing it: security@squaredup.com
Revision history of this article
10.11.2021 | Initial release |