Squaredup · Squaredup · CVE-2020-9388
Name of the Vulnerable Software and Affected Versions:
SquaredUp versions prior to 4.6.0
Description:
The issue allows for a potential CSRF attack, where an administrator could execute arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a malicious SVG payload into a dashboard. This is possible due to the lack of CSRF protection in SquaredUp before version 4.6.0.
Recommendations:
For versions prior to 4.6.0, update to version 4.6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to HTML dashboard tiles and disabling the upload of SVG payloads into dashboards until a patch is applied.