CVE-2020-9388

Name of the Vulnerable Software and Affected Versions: SquaredUp versions prior to 4.6.0

Description: The issue allows for a potential CSRF attack, where an administrator could execute arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a malicious SVG payload into a dashboard. This is possible due to the lack of CSRF protection in SquaredUp before version 4.6.0.

Recommendations: For versions prior to 4.6.0, update to version 4.6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to HTML dashboard tiles and disabling the upload of SVG payloads into dashboards until a patch is applied.