RSS   Podatności dla 'Squaredup'   RSS

2021-02-03
 
CVE-2020-9390

CWE-79
 

 
SquaredUp allowed Stored XSS before version 4.6.0. A user was able to create a dashboard that executed malicious content in iframe or by uploading an SVG that contained a script.

 
 
CVE-2020-9389

CWE-203
 

 
A username enumeration issue was discovered in SquaredUp before version 4.6.0. The login functionality was implemented in a way that would enable a malicious user to guess valid username due to a different response time from invalid usernames.

 
 
CVE-2020-9388

CWE-352
 

 
CSRF protection was not present in SquaredUp before version 4.6.0. A CSRF attack could have been possible by an administrator executing arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a malicious SVG payload into a dashboard.

 


Copyright 2021, cxsecurity.com

 

Back to Top