CVE-2020-24983

Name of the Vulnerable Software and Affected Versions: Quadbase EspressReports ES version 7 Update 9

Description: An issue allows an unauthenticated attacker to create a malicious HTML file that houses a POST request made to the "DashboardBuilder" within the target web application. This request utilizes the target admin session and performs the authenticated request, such as changing the Dashboard name, as if the victim had done so themselves, also known as a Cross-Site Request Forgery (CSRF) attack.

Recommendations: For Quadbase EspressReports ES version 7 Update 9, consider implementing CSRF protection mechanisms, such as token-based validation, to prevent unauthorized requests. As a temporary workaround, restrict access to the DashboardBuilder feature to minimize the risk of exploitation.