CVE-2020-9388

Опубликовано: 03 фев. 2021

Источник: nvd

CVSS3: 6.5

CVSS2: 4.3

EPSS Низкий

Описание

CSRF protection was not present in SquaredUp before version 4.6.0. A CSRF attack could have been possible by an administrator executing arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a malicious SVG payload into a dashboard.

Ссылки

https://scomsupport.squaredup.com/hc/en-us/articles/8862921957533-CVE-2020-9388-API-Endpoints-are-not-protected-against-CSRF
https://support.squaredup.com/hc/en-us/articles/360017568238
Broken Link
Vendor Advisory
https://support.squaredup.com/hc/en-us/articles/360019427218-CVE-2020-9388-API-Endpoints-are-not-protected-against-CSRF
Broken Link
Vendor Advisory
https://scomsupport.squaredup.com/hc/en-us/articles/8862921957533-CVE-2020-9388-API-Endpoints-are-not-protected-against-CSRF
https://support.squaredup.com/hc/en-us/articles/360017568238
Broken Link
Vendor Advisory
https://support.squaredup.com/hc/en-us/articles/360019427218-CVE-2020-9388-API-Endpoints-are-not-protected-against-CSRF
Broken Link
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:squaredup:squaredup:*:*:*:*:azure:*:*:*

Версия до 4.6 (исключая)

cpe:2.3:a:squaredup:squaredup:*:*:*:*:system_center_operations_manager:*:*:*

Версия до 4.6 (включая)

EPSS

Процентиль: 36%

0.00155

Низкий

6.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-352

Связанные уязвимости

GHSA-2f25-c9pg-f9fc